The Python security response team
As the final presentation of the 2016 Python Language Summit—though it was followed by a few lightning talks that we are not covering—Christian Heimes led a discussion on the Python security response team. There have been some problems along the way that generally boil down to a need for more people working on the team.
![[Christian Heimes]](https://static.lwn.net/images/2016/ls-heimes-sm.jpg "Christian Heimes")
Some of the problems that have occurred are things like bug reports being sent to the list, but that couldn't be reproduced, or distributions not updating their Python packages because it wasn't clear to them that there was a security fix made in an upstream release. Heimes suggested that security fixes be clearly marked in the "News" file that accompanies releases. Though there is still the problem of unrecognized security bugs, as one attendee pointed out.
There have been some bug reporters that keep mailing the team about unfixed bugs. The problem is that he gets busy sometimes, so there may be a need for more people on the team, Heimes said. Nick Coghlan said that being on the team should be part of someone's job, otherwise that work will just fall below the tasks on their list that are part of their job.
One issue that needs to be addressed as part of the migration to GitHub is ensuring there is a way to create embargoed bug reports in the new system, as one attendee noted. Right now, the Roundup-based bug tracker does have that capability, which will be needed for security bug reporting.
Guido van Rossum said that there have been problems with being responsive to external bug reporters. They sometimes get to the point of specifying dates when they will release information about the bug if they have not heard back. He said that he gets frustrated reading those emails because he doesn't have any information about the bug or the status of a fix that he could pass on. Ned Deily said that it isn't really clear who has the responsibility to handle the reports.
Coghlan suggested that creating a report that showed the time gap between the security bug reports and fixes would help. Customers would then see the problem and push to improve the response time, which could result in someone being tasked and paid to do so. Russell Keith-Magee noted that the Django Software Foundation is now paying someone to handle security bug reports, which has helped quite a bit.
| Index entries for this article | |
|---|---|
| Conference | Python Language Summit/2016 |