Issue 31953: Dedicated place for security announcements?

Hello,

My apologies if this is not the right place to discus this.

I would like to ensure that I stay informed of any potential future security issues in python (specifically at least the cpython runtime and standard library, although select very-popular 3rd party libraries wouldn't hurt). I cannot find a single place where such announcements are guaranteed to land.

Good examples of the type of thing I am looking for are the openssl-announce list [1][2] and the golang-announce list [3], where the projects pre-announce "Hey, we're going to have a release on <date> which addresses a <rough severity> security issue in <vague area of impact>." and then announces again when patches are available such that responsible maintainers (such as I am trying to be) can ensure that updates are available to our users ASAP.

The python-announce-list [4] does not serve this purpose because it has lots of noise from initial release announcements about random 3rd party stuff, and the "security news" page [5] is really just a "how to disclose vulns" page.

Note that I'm *not* advocating for the creation of a pre-disclosure list! Python is such a ubiquitous piece of software that I don't think it's reasonable to expect that such a list could contain all affected parties without also leaking details to those who would cause harm. I'm only asking for something public that I can subscribe to in order to be sure I'll have a heads up of when patching is imminently required.

Regards,
Jean-Philippe
(a contributor to the Qubes OS project [6] whose security relies mostly on Python's and Xen's - and is on Xen's pre-disclosure list)

[1]: https://mta.openssl.org/pipermail/openssl-announce/2017-October/thread.html
[2]: https://mta.openssl.org/pipermail/openssl-announce/2017-November/thread.html
[3]: https://groups.google.com/forum/#!forum/golang-announce
[4]: https://mail.python.org/mailman/listinfo/python-announce-list
[5]: https://www.python.org/news/security/
[6]: https://www.qubes-os.org/

Title:	Dedicated place for security announcements?
Type:	security	Stage:	resolved
Components:	Documentation, email	Versions:

Status:	closed	Resolution:	not a bug
Dependencies:		Superseder:
Assigned To:	docs@python	Nosy List:	Mariatta, barry, docs@python, jpo, r.david.murray
Priority:	normal	Keywords:

Messages (3)
msg305614 - (view)	Author: Jean-Philippe Ouellet (jpo)	Date: 2017-11-06 02:26
Hello, My apologies if this is not the right place to discus this. I would like to ensure that I stay informed of any potential future security issues in python (specifically at least the cpython runtime and standard library, although select very-popular 3rd party libraries wouldn't hurt). I cannot find a single place where such announcements are guaranteed to land. Good examples of the type of thing I am looking for are the openssl-announce list [1][2] and the golang-announce list [3], where the projects pre-announce "Hey, we're going to have a release on <date> which addresses a <rough severity> security issue in <vague area of impact>." and then announces again when patches are available such that responsible maintainers (such as I am trying to be) can ensure that updates are available to our users ASAP. The python-announce-list [4] does not serve this purpose because it has lots of noise from initial release announcements about random 3rd party stuff, and the "security news" page [5] is really just a "how to disclose vulns" page. Note that I'm not advocating for the creation of a pre-disclosure list! Python is such a ubiquitous piece of software that I don't think it's reasonable to expect that such a list could contain all affected parties without also leaking details to those who would cause harm. I'm only asking for something public that I can subscribe to in order to be sure I'll have a heads up of when patching is imminently required. Regards, Jean-Philippe (a contributor to the Qubes OS project [6] whose security relies mostly on Python's and Xen's - and is on Xen's pre-disclosure list) [1]: https://mta.openssl.org/pipermail/openssl-announce/2017-October/thread.html [2]: https://mta.openssl.org/pipermail/openssl-announce/2017-November/thread.html [3]: https://groups.google.com/forum/#!forum/golang-announce [4]: https://mail.python.org/mailman/listinfo/python-announce-list [5]: https://www.python.org/news/security/ [6]: https://www.qubes-os.org/
msg305617 - (view)	Author: Mariatta (Mariatta) *	Date: 2017-11-06 03:14
There is Security SIG mailing list, please check it out: https://mail.python.org/mm3/archives/list/security-sig@python.org/
msg305622 - (view)	Author: Jean-Philippe Ouellet (jpo)	Date: 2017-11-06 08:56
Ah, I now see there actually is a security-announce list [1]! Unless one happens to already know that Python has two concurrent mailman instances hosting different lists [2][3], it's easy to miss. Thanks, and sorry for the noise! [1]: https://mail.python.org/mm3/archives/list/security-announce@python.org/ [2]: https://mail.python.org/mm3/archives/ [3]: https://mail.python.org/mailman/listinfo

History
Date	User	Action	Args
2022-04-11 14:58:54	admin	set	github: 76134
2017-11-06 08:56:31	jpo	set	messages: + msg305622
2017-11-06 03:14:15	Mariatta	set	status: open -> closed nosy: + Mariatta messages: + msg305617 resolution: not a bug stage: resolved
2017-11-06 02:26:50	jpo	create