The tracker doesn't appear to have a way to privately report a security problem.

> The tracker doesn't appear to have a way to privately report a security problem.

That's mostly intentional. Issues that shouldn't be disclosed should be 
reported to security@python.org.

Regards,
Martin

Well, ok, but a link or explanation of that somewhere on the tracker would be
helpful.  Eventually it may be worth adding this, depending on how the
maintainers want to handle such reports.  I know that launchpad and bugzilla can
accept private reports and the feature is helpful.  They also normally serve
pages through SSL which should be more secure than email.  Anything really
sensitive is probably better off on a single well-secured server than in the
mailboxes of N different maintainers.  However, this probably isn't an
overriding issue for Python right now.

The problem is that we would need to create a separate account role, and then
restrict classified issues to access only by that role, and by the submitter.
The security model of Roundup makes this fairly error-prone - this installation
gives "view" permissions to all issues to everybody, and restricting it requires
a lot of work,testing, and faith.

So email is *much* more secure.

Contributions are welcome.

I guess this is best left as a long term wish list item in that case.  Having
been through this kind of thing a few times before, I agree that if it's
complicated to do, it's likely to leave holes.  So it's best accomplished by
organizing the architecture in a way that makes it simple and solid.

I do think it's worth doing something about issue #191 (reported by email) even
if it's a short term hack.

> I do think it's worth doing something about issue #191 (reported by email) even
> if it's a short term hack.

If you are talking about the issue you reported privately - nobody here 
knows what the issue is; that's the point of a classified report.