Weblog

Django and security

Following last week's security releases, we've received a few questions, and also noted some confusion.

To answer those questions and clear up any confusion, today we've added a new section to the Django documentation, outlining Django's security policies in detail. Our hope is for this document to be a one-stop shop for any questions you may have about how the Django project handles security issues; if there's anything missing from it, please let us know. And if you need a convenient, easy-to-remember URL, djangoproject.com/security/ redirects to this document.

In particular, we'd like to encourage all users of Django to read the sections on who receives security notifications, how to request them and what the criteria are for inclusion on our security notification list. For obvious reasons, that list simply cannot include most users of Django, and must be kept small in order to serve its intended purpose.

We also strongly encourage all users of Django to subscribe to the django-announce mailing list, which is a low-traffic list serving only to announce new Django releases.

Posted by James Bennett on August 7, 2012