Is there any interest in adding a private category here, or a mailing list, to invite WSGI and ASGI maintainers to discus internals? I’m thinking topics like PEP/RFC spec compliance, optimizations, extensions to WSGI, and security discussions that are common to many frameworks. It would be really valuable to me to be able to pool knowledge with other maintainers, without needing to post publicly.
I’d prefer such discussions to happen in public. Personally, I wouldn’t want to weigh in most of the time, but I’m sure I’d occasionally find something of interest.
Also I’m not sure who would count as a WSGI/ASGI maintainer, among Django people. @andrewgodwin and @carltongibson at least, as shepherds of ASGI.
I would also prefer discussion to happen in public, but if it’s discussion that wouldn’t happen unless it happens in private, I am open to having a place to put those discussions.
I think Carlton and myself are probably the main people who think about this semi-regularly - Carlton is the more active maintainer and prodder of asgiref, whereas I still act as guardian of the spec, for better or worse.
Could we enable Discussions on django/asgiref? (Maybe Issues are fine… 
)
Security discussions are more to the point I’d have thought. In many cases it may be more is this an issue rather than a concrete report…? What’s your thought David?
1 Like
I was specifically thinking about security issues, had just received a report that I’m not entirely sure what to do about. Just made me realize that most security issues at the WSGI layer could be collaborated on more. It wouldn’t be particularly high volume, I get maybe two valid reports a year.
OK, so one option there (at least immediately) would be to email the Django Security Team (security at …). It may be a slight stretch of scope but happy to engage there.
Tom Christie is on those emails. We can always CC Andrew in too. (There are a couple of other folks in the ASGI realm that come to mind… — maybe a small CC list is enough to be going on with? 
)
I just sent an email to the security address. But I realized that other frameworks like Pyramid and Starlette, and clients like urllib3 and httpx might also need to be involved in things like this. It would be really nice to have one place to invite maintainers.
1 Like