Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to report a security bug of pip? #11033

Closed
1 task done
ycdxsb opened this issue Apr 13, 2022 · 10 comments
Closed
1 task done

How to report a security bug of pip? #11033

ycdxsb opened this issue Apr 13, 2022 · 10 comments
Labels
type: maintenance Related to Development and Maintenance Processes type: question User question type: security Has potential security implications

Comments

@ycdxsb
Copy link

ycdxsb commented Apr 13, 2022

Description

Hello,
I want to know how to report a security bug of pip.
Thank you.

Expected behavior

None

pip version

22.0.4

Python version

3.10.4

OS

windows

How to Reproduce

None

Output

None

Code of Conduct
@ycdxsb ycdxsb added S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior labels Apr 13, 2022
@potiuk
Copy link
Contributor

potiuk commented Apr 13, 2022

There is no policy in pip I reported a but to security@python.org some time ago. Worked.

@ycdxsb
Copy link
Author

ycdxsb commented Apr 13, 2022
edited by pradyunsg
Loading

There is no policy in pip I reported a but to security@python.org some time ago. Worked.

security@python.org reject my report because it's not a security bug about python.

@potiuk
Copy link
Contributor

potiuk commented Apr 13, 2022

🤷 - no idea then

@uranusjr
Copy link
Member

cc @pradyunsg we talked about this the other day

@uranusjr uranusjr added type: security Has potential security implications type: maintenance Related to Development and Maintenance Processes type: question User question and removed type: bug A confirmed bug or unintended behavior S: needs triage Issues/PRs that need to be triaged labels Apr 13, 2022
@ycdxsb
Copy link
Author

ycdxsb commented Apr 14, 2022

cc @pradyunsg we talked about this the other day

Is there an email like security@python.org to accept report?

@uranusjr
Copy link
Member

From previous discussion security@python.org is the one to use, and I’m surprised it rejected it (first time I’ve heard that happened). I don’t think there’s another dedicated mailing list for this, the closest alternative would be to find maintainers’ emails on GitHub and email privately.

(I’m going to raise this issue in the Packaging Summit next month at PyCon)

@uranusjr
Copy link
Member

Linking #10928

@ycdxsb
Copy link
Author

ycdxsb commented Apr 14, 2022

From previous discussion security@python.org is the one to use, and I’m surprised it rejected it (first time I’ve heard that happened). I don’t think there’s another dedicated mailing list for this, the closest alternative would be to find maintainers’ emails on GitHub and email privately.

(I’m going to raise this issue in the Packaging Summit next month at PyCon)

Thanks, I will send the report to you later.

@pradyunsg pradyunsg mentioned this issue Apr 14, 2022
Closed
1 task
@pradyunsg
Copy link
Member

Closing in favour of #11037, given that OP has reached out.

@pradyunsg
Copy link
Member

I don't see any reports from OP on security@python.org. Could you forward the email that you sent to security@ to me?

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type: maintenance Related to Development and Maintenance Processes type: question User question type: security Has potential security implications
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@potiuk @uranusjr @pradyunsg @ycdxsb