Python library security announcement list - Python Security

The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Message from discussion Python library security announcement list
Date: Sat, 21 Jul 2012 14:52:39 -0700 (PDT)
From: Luke Plant <l.plant...@cantab.net>
To: python-security@googlegroups.com
Message-Id: <a5909df0-3926-4cb7-9683-4089167410a3@googlegroups.com>
Subject: Python library security announcement list
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_347_18275413.1342907559107"

------=_Part_347_18275413.1342907559107
Content-Type: multipart/alternative; 
	boundary="----=_Part_348_31150338.1342907559107"

------=_Part_348_31150338.1342907559107
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Hi all,

Something I've been worrying about for a while is the need for a security 
announcement list for small Python libraries that might be used in a 
typical web site.

For example, there are *many* Django libraries/app out there, most of them 
far too small to have their own mailing lists (and very few would be 
subscribed if they had one), but certainly capable of needing a security 
announcement mechanism. I have written several libraries like this myself 
which could at least in theory have security problems, and I would have no 
effective way to announce that to my users.

One central mailing list for these kinds of apps, which I could post to as 
a library author, and subscribe to as a developer, might be a good solution 
to this.

Does such a thing already exist? If not, is this group interested in 
creating it?

It would probably be a good idea to make this applicable to any Python 
library that could be used in a web app situation, although my particular 
interest is Django apps - there will certainly be Python libraries that are 
not specific to Django/Zope/Pyramid etc but could be used in projects using 
those frameworks.

I guess some might say this list could be used, but I really don't think 
that would be appropriate. What I think we need is a list that is *solely* 
for security announcements, and not any further discussion. It should be 
something that all Python web developers would be subscribed too, and so 
would need fairly strict rules about who can post and what subjects etc. so 
that it remains low traffic.

It would also need to be separate from the announcements for Python itself, 
though I guess it might be a good idea to host it under a python.org 
address.

I think to be effective it would need buy in from at least other web 
frameworks, as something to promote as a standard mailing list that 
developers should be subscribed too.

It could possibly be linked to PyPI - which might encourage some people to 
actually publish their packages to PyPI. I'm wondering if PyPI or the 
packaging libraries already have some infrastructure to deal with this - if 
so I don't know what it is, and it isn't well known.

What do people think?


Luke Plant (Django committer)

------=_Part_348_31150338.1342907559107
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,<div><br></div><div><div>Something I've been worrying about for a wh=
ile is the need for a security announcement list for small Python libraries=
 that might be used in a typical web site.</div><div><br></div><div>For exa=
mple, there are *many* Django libraries/app out there, most of them far too=
 small to have their own mailing lists (and very few would be subscribed if=
 they had one), but certainly capable of needing a security announcement me=
chanism. I have written several libraries like this myself which could at l=
east in theory have security problems, and I would have no effective way to=
 announce that to my users.</div><div><br></div><div>One central mailing li=
st for these kinds of apps, which I could post to as a library author, and =
subscribe to as a developer, might be a good solution to this.</div><div><b=
r></div><div>Does such a thing already exist? If not, is this group interes=
ted in creating it?</div><div><br></div><div>It would probably be a good id=
ea to make this applicable to any Python library that could be used in a we=
b app situation, although my particular interest is Django apps - there wil=
l certainly be Python libraries that are not specific to Django/Zope/Pyrami=
d etc but could be used in projects using those frameworks.</div></div><div=
><br></div><div>I guess some might say this list could be used, but I reall=
y don't think that would be appropriate. What I think we need is a list tha=
t is *solely* for security announcements, and not any further discussion. I=
t should be something that all Python web developers would be subscribed to=
o, and so would need fairly strict rules about who can post and what subjec=
ts etc. so that it remains low traffic.</div><div><br></div><div>It would a=
lso need to be separate from the announcements for Python itself, though I =
guess it might be a good idea to host it under a python.org address.</div><=
div><br></div><div>I think to be effective it would need buy in from at lea=
st other web frameworks, as something to promote as a standard mailing list=
 that developers should be subscribed too.<br></div><div><br></div><div>It =
could possibly be linked to PyPI - which might encourage some people to act=
ually publish their packages to PyPI. I'm wondering if PyPI or the packagin=
g libraries already have some infrastructure to deal with this - if so I do=
n't know what it is, and it isn't well known.</div><div><br></div><div><div=
>What do people think?<br></div></div><div><br></div><div><br></div><div>Lu=
ke Plant (Django committer)</div>
------=_Part_348_31150338.1342907559107--

------=_Part_347_18275413.1342907559107--
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
Account Options
