Should I make a 3.4.7rc1 next weekend?
I'm scheduled to tag and release 3.5.4rc1 next weekend. I've been releasing 3.4 and 3.5 at the same time for the last year; this is convenient for me as it halves the frequency with which I have to put on the "release manager" hat.
There are currently no scheduled dates to release 3.4.7. The reason being that until very recently there was almost no work done in 3.4 since 3.4.6 was tagged. But! The reason for /that/ was because of a change in the workflow: once we switched to Github, for branches that are in security-fixes-only mode, only the Release Manager is allowed to accept PRs into that branch. It turned out there were a bunch of PRs waiting for my approval.
After a flurry of accepted PRs, I have now accrued about ten fresh security fixes in the 3.4 branch. (Mostly from Victor, but also Serhiy, and one from Barry--thanks everyone!) There are now no outstanding security fix PRs against 3.4.
Since I'm releasing 3.5.4rc1 next weekend, I wouldn't mind /also/ releasing 3.47rc1 next weekend. That would put 3.4.7 final the same day as 3.5.4 final: just over three weeks from now, releasing on Sunday August 5. I realize it's not much notice, and that's normally not how we do things in the CPython world. (Sorry for the short notice--it's my fault for not adjusting to the new workflow quickly enough.)
Anyway the point of this email is to call for a vote. Which of these statements do you agree with:
- Larry should tag and release 3.4.7rc1 next weekend.
- Larry should schedule 3.4.7rc1 for a month from now, to give people time to get their work in.
In particular, Victor and Serhiy, I'm interested in your votes. You both get veto powers for the short notice--if either of you say "do it a month from now" then it'll be a month from now.
Also, if anybody has security fixes you want to get in to the next release of 3.4, but you haven't made a PR yet, please reply and describe them. (Please reply to list if appropriate, but if it should be kept quiet please reply to me directly.)
Braising in my own juices at EuroPython,
//arry/
I would love to have a new 3.4 release including all security fixes, sure! It would reduce the number of known vulnerability in Python 3.4:
http://python-security.readthedocs.io/vulnerabilities.html
2017-07-12 15:09 GMT+02:00 Larry Hastings <larry@hastings.org>:
After a flurry of accepted PRs, I have now accrued about ten fresh security fixes in the 3.4 branch. (Mostly from Victor, but also Serhiy, and one from Barry--thanks everyone!) There are now no outstanding security fix PRs against 3.4.
Thanks for merging them ;-)
I would like to see my "[3.4] Backport CI config from master" PR merged into 3.4 to get at least a check from Travis and AppVeyor that there is no major regression on Linux and Windows: https://github.com/python/cpython/pull/2475
If I recall correctly, it would be the first time that we have a CI for a branch in security-fix only mode, no?
Victor
12.07.17 16:09, Larry Hastings пише:
Anyway the point of this email is to call for a vote. Which of these statements do you agree with:
- Larry should tag and release 3.4.7rc1 next weekend.
- Larry should schedule 3.4.7rc1 for a month from now, to give people time to get their work in.
I'm for releasing 3.4.7rc1 next weekend. There were not much security issues and seems all worth fixes already are backported and merged in 3.4 (thank you for merging them). The rest of the work can be done in few days.
I have just one suggestion. Issue26617 and issue28427 were not marked as security issues but they look like very bad bugs to me. They are hard to catch, can unexpectedly break any program that uses weakref and threads, and don't have workarounds. If you will decide to backport them I can help with backporting.
https://bugs.python.org/issue26617 https://bugs.python.org/issue28427
In reply to my proposal of a few days ago, I received two +1s and no other feedback. So I'm going to issue 3.4.7 with relatively-little notice.t
Here's the schedule for 3.4.7; it mirrors the schedule for 3.5.4.
Saturday, July 22, 2017 - tag 3.4.7 rc1
Sunday, July 23, 2017 - release 3.4.7 rc1
Sunday, August 6, 2017 - tag 3.4.7 final
Monday, August 7, 2017 - release 3.4.7 final
Cheers,
//arry/
participants (3)
-
Larry Hastings
-
Serhiy Storchaka
-
Victor Stinner