-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On May 14, 2007, at 11:32 AM, Stephen J. Turnbull wrote:
In general, I recognize the burden on the release engineer, and obviously any burdensome policy needs his OK. But I think the policy should be *effective* too, and I just don't see that a policy that allows such long lags is a more effective security response than a policy that says "the tarballs are deprecated due to security fixes; get your Python by importing the branch, not by fetching a tarball."
Like many other activities we do, if we find ourselves blocking because of resource constraints, we should recruit additional volunteers to reduce the load on any one person. Anthony does a masterful job as release manager, but maybe he would rather someone else perform security releases. (It's not a bad idea anyway so that others have experience doing releases too.) We should decide what's right for security releases and then assess whether we need to recruit in order to perform that activity the way we want to. - -Barry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iQCVAwUBRkiEFXEjvBPtnXfVAQL1TQP+IbelPCGvkd8IEGvDLIguJxM4B437AJPh I6sluVGP3EjOcVbHTh8EgiqvWn+DaKQUIIkxqt+CEX/ghOXwv4X2z73Qnc8VB5jG W6ghV6diiYwmD8xOGUUvuIk4Rr+qV4Me22p38E1aZY7UP9ub9o6ofsGe19rjNjoX nQBs7PUMqPQ= =Onzb -----END PGP SIGNATURE-----