disclosing security release dates on django-announce
132 views
Skip to first unread message
Tim Graham
Oct 7, 2016, 10:58:00 AM10/7/16
to Django developers (Contributions to Django itself)
The Django team proposes [0] to add the following to the security policy:
Approximately one week before public disclosure, ...
triaging our announcement and upgrade Django as needed.
[0] https://github.com/django/django/pull/7356
[1] https://docs.djangoproject.com/en/dev/internals/mailing-lists/#django-announce
Feedback is welcome.
Approximately one week before public disclosure, ...
| we notify django-announce [1] of the date and approximate time of the upcoming security release. No information about the issues is given. This is to |
| aid organizations that need to ensure they have staff available to handle |
[0] https://github.com/django/django/pull/7356
[1] https://docs.djangoproject.com/en/dev/internals/mailing-lists/#django-announce
Feedback is welcome.
Markus Holtermann
Oct 7, 2016, 12:47:38 PM10/7/16
to Django developers (Contributions to Django itself)
While we haven't decided of any particular format, you can expect the announcements to look a bit like https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.html
/Markus
Shai Berger
Oct 8, 2016, 11:26:06 AM10/8/16
to django-d...@googlegroups.com
On Friday 07 October 2016 19:47:38 Markus Holtermann wrote:
> On Friday, October 7, 2016 at 4:58:00 PM UTC+2, Tim Graham wrote:
> > The Django team proposes [0] to add the following to the security policy:
> >
> > Approximately one week before public disclosure, ...
> > we notify django-announce [1] of the date and approximate time of the
> > upcoming security release. No information about the issues is given. [...]
> On Friday, October 7, 2016 at 4:58:00 PM UTC+2, Tim Graham wrote:
> > The Django team proposes [0] to add the following to the security policy:
> >
> > Approximately one week before public disclosure, ...
> > we notify django-announce [1] of the date and approximate time of the
>
> While we haven't decided of any particular format, you can expect the
> announcements to look a bit like
>https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.html
>
with nitpicking():
> While we haven't decided of any particular format, you can expect the
> announcements to look a bit like
>https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.html
>
this example does give some information about the issues -- the number of
issues and an assessment of their severitly level. I believe it is a good
example to follow.
Shai.
Tim Graham
Oct 10, 2016, 3:41:00 PM10/10/16
to Django developers (Contributions to Django itself)
Providing an indication of severity would be fine with me. Does anyone know of other web frameworks that have descriptions of severity classifications that we could borrow?
Alex Gaynor
Oct 10, 2016, 3:43:09 PM10/10/16
to django-d...@googlegroups.com
We already have one :-), our bounty indicates several severity levels: https://hackerone.com/django
Alex
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/41d3c6cc-76d6-4e10-aed6-5f1cb0d85f3f%40googlegroups.com.
"I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
Tim Graham
Oct 10, 2016, 7:28:09 PM10/10/16
to Django developers (Contributions to Django itself)
Thanks, I added that to the PR.
On Monday, October 10, 2016 at 3:43:09 PM UTC-4, Alex_Gaynor wrote:
We already have one :-), our bounty indicates several severity levels: https://hackerone.com/djangoAlex
On Mon, Oct 10, 2016 at 3:40 PM, Tim Graham <timog...@gmail.com> wrote:
Providing an indication of severity would be fine with me. Does anyone know of other web frameworks that have descriptions of severity classifications that we could borrow?
On Saturday, October 8, 2016 at 11:26:06 AM UTC-4, Shai Berger wrote:On Friday 07 October 2016 19:47:38 Markus Holtermann wrote:
> On Friday, October 7, 2016 at 4:58:00 PM UTC+2, Tim Graham wrote:
> > The Django team proposes [0] to add the following to the security policy:
> >
> > Approximately one week before public disclosure, ...
> > we notify django-announce [1] of the date and approximate time of the
> > upcoming security release. No information about the issues is given. [...]
>
> While we haven't decided of any particular format, you can expect the
> announcements to look a bit like
>https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.html
>
with nitpicking():
this example does give some information about the issues -- the number of
issues and an assessment of their severitly level. I believe it is a good
example to follow.
Shai.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/41d3c6cc-76d6-4e10-aed6-5f1cb0d85f3f%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages