On 22/07/12 20:10, Craig Younkins wrote:
> Yeah, I agree that security announcements are a bit of a problem.
> When I read your post I envisioned a site where you could check boxes
> for the libraries you use. That way you don't get noise with your
> subscription. It could also have boxes for tons of libraries that
> aren't signed up for the site, which we can use to pressure the
> developers of that library.
>
> Luke, would you personally find such a service more useful than the
> PythonSecurity.org wiki? (other people, please respond as well) I
> can use that to determine where I should spend my time.
I personally would be happy as long as the service 'pushed' the
information to me on a system I already use very regularly, showing me
what is new, and in a way that I can control exactly when I look at it.
So for me:
- email is fine, since I already use email daily
- RSS/Atom is fine, since I already have a feed reader
- SMS would be too intrusive/interruptive
- a web page that I have to remember to visit, and mentally keep
track of what is new and what I saw last time, wouldn't
be of much use to me.
I would prefer email out of these options.
I too had imagined a site where you could subscribe to specific
packages. The problem is that I would have to remember to keep my
subscriptions updated every time I added a new dependency to any
project. Psychologically, at the point where I'm adding packages, I
don't want to stop and deal with that kind of admin - I want to get on
and code - but if I don't do it then, I'll forget.
In fact, there are many cases where I add a dependency, or at least
download it and try it, then decide against it, or later abandon the
project. All these possibilities mean that for me at least, my
subscriptions would get out of date easilt, and I'm much more likely to
end up getting the security announcements I need if I'm just subscribed
to everything.
A specific subscription service would also increases the complexity of
the system from essentially just a mailing list and someone
moderator/managing who can post to it, to a significantly bigger system
that would require maintenance. IMO, it would be better to wait until
the traffic on such a list is a genuine problem before adding ways of
automatically filtering it out per user.
There is another benefit of getting 'irrelevant' security announcements
- it could raise the profile of certain security problems that I may
have forgotten about as a library/web site developer. If I see "package
foobar was not correctly sanitising file names for uploads, allowing
dangerous extensions like .php to be placed on the server", then I might
realise that my project does the same, although I wasn't using foobar.
I do agree that we would need a way to publicise this so library
developers feel that they ought to be on it. If it gains support here,
we could ask the other major frameworks (Zope, Turbogears etc) what they
thought, and if they have any mechanism in place.
Regards,
Luke
--
"Pretension: The downside of being better than everyone else is
that people tend to assume you're pretentious." (
despair.com)
Luke Plant ||
http://lukeplant.me.uk/