谁应该向安全问题报告? [英] Who should security issues be reported to?
问题描述
对于Python发行版附带的模块,谁有适当的人报告安全问题?
我觉得不合适在一般邮件上报告
列表。
Who are the appropriate people to report security problems to
in respect of a module included with the Python distribution?
I don''t feel it appropriate to be reporting it on general mailing
lists.
推荐答案
在文章< 11 ***** ****************@f14g2000cwb.googlegroups。 com>,
< gr ***** @ dscpl.com.au>写道:
In article <11*********************@f14g2000cwb.googlegroups. com>,
<gr*****@dscpl.com.au> wrote:
谁是适当的人来报告安全问题,以及对Python发行版附带的模块的尊重?我不认为在一般邮件列表上报告它是合适的。
Who are the appropriate people to report security problems to in
respect of a module included with the Python distribution? I don''t
feel it appropriate to be reporting it on general mailing lists.
通常没有适当的非公开报告机制。 />
安全问题。如果你真的认为这需要私下处理,那就做一些研究,找出哪个核心开发人员最有可能熟悉它。甚至在你这样做之前,请检查
SourceForge以确定是否有其他人将其报告为错误。
-
Aahz(aa **@pythoncraft.com)< *> http://www.pythoncraft.com/
19。这种语言不会影响你对编程的看法,不值得知道。b $ b。 --Alan Perlis
There is no generally appropriate non-public mechanism for reporting
security issues. If you really think this needs to be handled
privately, do some research to find out which core developer is most
likely to be familiar with it. Even before you do that, check
SourceForge to find out whether anyone else has reported it as a bug.
--
Aahz (aa**@pythoncraft.com) <*> http://www.pythoncraft.com/
"19. A language that doesn''t affect the way you think about programming,
is not worth knowing." --Alan Perlis
Aahz写道:
Aahz wrote:
文章< 11 ******* **************@f14g2000cwb.googlegroups。 com>,
< gr ***** @ dscpl.com.au>写道:
In article <11*********************@f14g2000cwb.googlegroups. com>,
<gr*****@dscpl.com.au> wrote:
谁是适当的人来报告安全问题,以及对Python发行版附带的模块的尊重?我不认为在一般邮件列表上报告它是合适的。
Who are the appropriate people to report security problems to in
respect of a module included with the Python distribution? I don''t
feel it appropriate to be reporting it on general mailing lists.
没有一般适当的非公开机制来报告安全问题。如果您真的认为这需要私下处理,请做一些研究,找出哪个核心开发人员最熟悉它。甚至在你这样做之前,请检查SourceForge以确定是否有其他人将其报告为错误。
There is no generally appropriate non-public mechanism for reporting
security issues. If you really think this needs to be handled
privately, do some research to find out which core developer is most
likely to be familiar with it. Even before you do that, check
SourceForge to find out whether anyone else has reported it as a bug.
我发现这个回复有点令人失望。开源人员
制作
关于让很多人能够看到这么大的优惠
来源
代码并从中发现安全问题,从而使它以某种方式使其比专有源代码更好。从我所看到的,如果
一个
开源项目非常庞大,涉及到很多人,它是
使它
很难尝试确定你应该向谁报告什么时候
没有明确可识别的单点联系安全
相关
问题。为什么我必须通过箍来尝试追踪谁将b $ b发送给谁?您所需要的只是一个广告的电子邮件
地址
用于安全问题,转发给一小组开发人员
然后可以评估发布并转发给相应的
的人。
这样的开发人员可能会在几分钟内完成这样的评估,但是我的b $ b已经
花费更长时间尝试研究将其发送给谁然后
可能
等待几天来源代码中提到的一些不起眼的人
多年来没有触及它,如果有的话。与此同时,你有一个
可能
严重的安全漏洞,坐在那里等着有人来表达,用
只有使用
以低于安全的方式使用
的用户的低相对数量才能保存优雅,并且很难识别
实际网站
遭遇此问题的网站。
对不起,但这还不够好。如果开源想要
说
他们比这些专有公司更好,他们需要用这些来交易
更专业的各种事情,并建立了良好的沟通渠道来处理它。
是的,我曾尝试邮寄过唯一提到的人
中的模块问题,我还在等待回复。
I find this response a bit dissappointing frankly. Open Source people
make
such a big deal about having lots of people being able to look at
source
code and from that discover security problems, thus making it somehow
making it better than proprietary source code. From what I can see, if
an
Open Source project is quite large with lots of people involved, it
makes it
very hard to try and identify who you should report something to when
there is no clearly identifiable single point of contact for security
related
issues. Why should I have to go through hoops to try and track down who
is appropriate to send it to? All you need is a single advertised email
address
for security issues which is forwarded onto a small group of developers
who can then evaluate the issue and forward it on to the appropriate
person.
Such developers could probably do such evaluation in minutes, yet I
have
to spend a lot longer trying to research who to send it to and then
potentially
wait days for some obscure person mentioned in the source code who has
not touched it in years to respond, if at all. Meanwhile you have a
potentially
severe security hole sitting there wating for someone to expliot, with
the
only saving grace being the low relative numbers of users who may be
using
it in the insecure manner and that it would be hard to identify the
actual web
sites which suffer the problem.
I''m sorry, but this isn''t really good enough. If Open Source wants to
say that
they are better than these proprietary companies, they need to deal
with these
sorts of things more professionally and establish decent channels of
communications for dealing with it.
And yes I have tried mailing the only people mentioned in the module in
question and am still waiting for a response.
gr ***** @ dscpl.com.au 写道:
对不起,这不是很好足够。如果开源想要说明他们比这些专有公司更好,他们需要更专业地处理这些类型的事情并建立良好的渠道。 >处理它的通信。
I''m sorry, but this isn''t really good enough. If Open Source wants to
say that
they are better than these proprietary companies, they need to deal
with these
sorts of things more professionally and establish decent channels of
communications for dealing with it.
这是我听到的志愿者的声音吗?
所有你需要做的举起手来,问题就解决了。如果没有
你,谁?
干杯,
尼克。
-
Nick Coghlan | nc******@email.com |澳大利亚布里斯班
--------------------------------------- ------------------------
http://boredomandlaziness.skystorm.net
Is that the sound of a volunteer I hear?
All you have to do is put your hand up, and the problem will be solved. If not
you, who?
Cheers,
Nick.
--
Nick Coghlan | nc******@email.com | Brisbane, Australia
---------------------------------------------------------------
http://boredomandlaziness.skystorm.net
这篇关于谁应该向安全问题报告?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
