On Oct 01, 2012, at 01:30 PM, Martin v. Löwis wrote:
I had meant to write a PEP on security releases for several years now.
Since this still doesn't exist, here is the outline of the procedures that maintainers have agreed upon:
- bug fix releases are made until the next feature release is out (with 2.7 being an exception from that rule)
- security fixes are being provided until 5 years after the initial release of the feature release
The 5 years horizon is based on requests of system packagers (Linux distributions in particular), who often also have 5-year cycles for long-term support.
- for 2.6, this will be until Oct 1, 2013
- for 3.1, this will be until July 27, 2014
- for 3.2, this will be until Feb 20, 2016
- security releases are made whenever maintainers deem it necessary; the two options are
Which of these to take depends on the nature of the fix, of course. The former is intended for system packagers of Python - they can incorporate fixes that are official already despite not having been released yet.
- commit fixes into source repository only, and release whenever enough time has passed, or enough changes have accumulated, or
- release right after a security issue has been resolved
The only thing missing is whether releases are made source-only or with binary packages for Windows and Mac. My understanding is that once a release goes into security-only mode, binary releases cease.