How the Django team handles security
In the wake of the Ruby on Rails mandatory security patch and its awkward handling, we've been discussing how we can avoid such a problem in the Django community.
In case you haven't seen it, our How to contribute to Django document has a Reporting security issues section, which describes our policy. Take the 30 seconds to read that.
In addition to that policy, which we've had for a while, today we created a django-announce mailing list. It's a low-traffic, announcement-only mailing list. We'll send a message to it for new Django releases, significant feature additions and security alerts. If you're a Django user, it'd be a good idea for you to sign up for this list.
Posted by Adrian Holovaty on August 10, 2006
Comments
Frido August 10, 2006 at 12:13 p.m.
Hope it shows up on gmane.org soon
rick August 10, 2006 at 1:17 p.m.
That policy is very close to how we awkwardly handled things.
testingSQLinjectionAttack August 10, 2006 at 2:29 p.m.
') or ('a'='a
DammitItDidntWork August 10, 2006 at 2:29 p.m.
i guess django really IS secure!
NMY August 10, 2006 at 2:53 p.m.
I was just wondering how you guys would handle security problems. I hadn't thought to look in the "Contributing..." documentation for the information, though -- I wonder if people wanting to report security issues will. I like how much you have thought this out, though I do have a few questions.
When exactly does the *patch* become available to unknown django users? At the same time as the vulnerability announcement is made public? Isn't there merit in releasing the patches before or concurrently with the private notification, but not describing the reason beyond it is a "critical security fix", to be followed by a full vulnerability description at the go-public date? Or do you worry that the patch provides too much information to potential exploiters? BTW, the third point about preventing an arms-race almost reads like there would be a time of sitting on the patch after deciding on a go-public date but before privately notifying known users.
What does the private notification to known users mean? Only the biggies like Green Peace and Tabblo? Everyone on django-announce? Everyone on django-users, sent with X-No-Archive? And how big of a delay is likely between the private notification and public announcement?
At what point do fixes get commited to svn (and the vulnerability technically becomes described to people who read the svn diffs)? At the same time as public patches are made available for the 3 most recent versions? And how explicit are the commit messages going to be?
It just seems like the majority of users aren't going to get any time to patch before the full description of the vulnerability, plus I guess I'm wondering how many blog posts from well-known django users along the lines of "get this patch from this secret location and apply it now, trust me" we're going to be seeing before seeing anything official. I think you need to promise in the security section that the patches will *always* reside on a djangoproject.com domain, even the ones being linked to in the private notifications. Everybody needs to be able to immediately disregard blog posts claiming to have been notified of a forthcoming vulnerability announcement and pointing to plausible-name.com/trojan-django.patch ("aholovaty.com" is available).
Of course, all of these questions and points are probably needlessly picky - your process is more well developed and described than most projects' (commercial or open-source), and I'm sure you're going to handle any security problems that arise with the admirable attention to all the little details and getting things right that is typical of this project.
Mike: I don't think it has had any known vulnerabilities yet, but that only means it's a matter of time. Luckily the Django team seem to be already preparing for handling it.
ToothyByte August 10, 2006 at 2:57 p.m.
> That policy is very close to how we awkwardly handled things
... with the exception of the part where a patch is publicly released withouth saying what it does ...
Jason Huggins August 10, 2006 at 3:43 p.m.
NMY, I have the same nitpicking questions as you do regarding *exactly* how "non-special" Django users get notified. :-)
I encourage you to repost your questions on the django-dev list, where the conversation is currently taking place.:
Baiju M August 10, 2006 at 11:52 p.m.
> Pre-notify everyone we know to be running the affected
> version(s) of Django. We will send these notifications
> through private e-mail which will include documentation of
> the vulnerability, links to the relevant patch(es), and a
> request to keep the vulnerability confidential until the
> official go-public date.
How do you Pre-notify users, using a private list?
Otherwise how do you get e-mail address of real users?
Daniel Tietze August 12, 2006 at 2:47 a.m.
Whatever you do in case of a security problem (and I'm pretty confident you'll handle it well) -- PLEASE don't tell your corporate and enterprise users to "shove it".
Comments are closed
To prevent spam, comments are no longer allowed after sixty days.
Mike August 10, 2006 at 11:54 a.m.
yeeey.... security.... bear... some more security... even more wine.
Has django ever had any security issues? I suppose not.