docs: add security policy #7
Conversation
|
This PR will add links for all repos under https://github.com/python to the security policy:
The policy at https://www.python.org/dev/security/ says it only covers official CPython and pip. It doesn't mention other projects under https://github.com/python, such as mypy, blurb, pyperformance and tzdata: https://github.com/orgs/python/repositories?type=all I think it's reasonable to include those, but let's ask the PSRT first. |
| the Python team responsibly. | ||
|
|
||
| To reach the response team, email | ||
| <a href="mailto:%73%65%63%75%72%69%74%79%40%70%79%74%68%6F%6E%2E%6F%72%67">security |
There was a problem hiding this comment.
Do we really need to obfuscate this?
There was a problem hiding this comment.
@hugovk thoughts (ref: python/pythondotorg#2417 (comment))
There was a problem hiding this comment.
I personally don't mind, my suggestion was to copy https://www.python.org/dev/security/, there must have been a reason to do it there 🤷
Co-authored-by: Jelle Zijlstra <[email protected]>
There was a problem hiding this comment.
@JacobCoffee welcome, nice to see you here 👋
Applying this to the whole org will also impact projects like mypy / typeshed / typing_extensions / multiple others.
Is it correct? Do we expect all security notices about these project to be reported the same way?
|
Yes, it would show up on all repos under https://github.com/python. I've asked the PSRT to confirm they're fine with it, and a couple of mypy maintainers said they'd be happy to receive reports via the PSRT. (Mypy being the most likely to receive security reports.) |
|
Any news @hugovk ? |
|
It was generally positive but nothing definitive so I've asked again. |
|
Do I need to merge this? I don't mind, just don't want to step on anyones toes. |
|
Go for it! |
What
Why
See Also
python/pythondotorg#2417