indygreg
commented
1 month ago Email me. gregory.szorc@gmail.com.
Closed itamarst closed 1 month ago
indygreg
commented
1 month ago Email me. gregory.szorc@gmail.com.
itamarst
commented
1 month ago When you have time, let me know if you the thing I sent via email is something you consider to be a problem.
zanieb
commented
1 month ago Yes we're addressing it in https://github.com/indygreg/python-build-standalone/pull/350
itamarst
commented
1 month ago Thank you! Are you thinking about the broader process issue too? I.e. rebuilding existing Python versions when a new OpenSSL version comes out? (I imagine other dependencies may also be an issue, this just seemed like the most obvious one to check.)
zanieb
commented
1 month ago Well, we'll rebuild the latest patch versions but we can't rebuild them all because it's too much to build.
And yeah, I'm trying to figure out a better way to get notified and otherwise automated dependency updates. I just manually checked everything and opened >15 PRs but it was pretty tedious.
itamarst
commented
1 month ago Oh, yeah, I meant rebuilding latest patch revision only. Older patch revisions will have Python security vulnerabilities too, after all.
zanieb
commented
1 month ago Thanks!
itamarst
commented
1 month ago Thank you!
Hi, I had a security issue I wanted to report, and there's no mechanism to do it privately at the moment.