-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: add security policy #7
base: master
Are you sure you want to change the base?
Conversation
This PR will add links for all repos under https://github.com/python to the security policy:
The policy at https://www.python.org/dev/security/ says it only covers official CPython and pip. It doesn't mention other projects under https://github.com/python, such as mypy, blurb, pyperformance and tzdata: https://github.com/orgs/python/repositories?type=all I think it's reasonable to include those, but let's ask the PSRT first. |
the Python team responsibly. | ||
|
||
To reach the response team, email | ||
<a href="mailto:%73%65%63%75%72%69%74%79%40%70%79%74%68%6F%6E%2E%6F%72%67">security |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really need to obfuscate this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hugovk thoughts (ref: python/pythondotorg#2417 (comment))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I personally don't mind, my suggestion was to copy https://www.python.org/dev/security/, there must have been a reason to do it there 🤷
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JacobCoffee welcome, nice to see you here 👋
Applying this to the whole org will also impact projects like mypy
/ typeshed
/ typing_extensions
/ multiple others.
Is it correct? Do we expect all security notices about these project to be reported the same way?
Yes, it would show up on all repos under https://github.com/python. I've asked the PSRT to confirm they're fine with it, and a couple of mypy maintainers said they'd be happy to receive reports via the PSRT. (Mypy being the most likely to receive security reports.) |
What
Why
See Also
python/pythondotorg#2417