← Back to team overview

touch-packages team mailing list archive

[Bug 1401322] Re: Upgrade to Python 2.7.9

 

Tyler,

Sorry if I don't fully understand, but your claim is that this is a non-
issue because "you" (presumably referring to the Ubuntu Security team in
general) will fix individual applications that are vulnerable to
CVE-2014-9365. Before closing this issue, I'd like to know how you plan
to do that without backporting the fix in question.

If we restrict ourselves to just the package tree for a moment, are you
really suggesting that the Ubuntu Security team will comb through every
single Python package to check whether they use a Python module that
does not verify certificates, and then evaluate how to patch that in
manually, and then apply that patch? And then you will do this
recursively, so that all packages that depend on the first set of
packages are themselves evaluated for breakage or workaround? Where is
Ubuntu getting the manpower to do this work?

That then leaves out the substantial portion of users who are using
applications that are not in the package trees: those users need to be
actively watching the CVE database for vulnerabilities in order to know
that they are, in fact, vulnerable. I suspect most of them are not:
they, like many others, are expecting that Ubuntu will patch known
defects when they arise.

Am I wrong here? Because it seems to me that the decision was made here
that it matters more that user code does not break, even when that code
is actively exposing the users to compromise and risk. That strikes me
as a pretty perverse decision.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python-defaults in Ubuntu.
https://bugs.launchpad.net/bugs/1401322

Title:
  Upgrade to Python 2.7.9

Status in python-defaults package in Ubuntu:
  Fix Released

Bug description:
  Python 2.7.9 contains numerous security improvements for Python.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-defaults/+bug/1401322/+subscriptions


References