-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On May 14, 2007, at 11:32 AM, Stephen J. Turnbull wrote:
In general, I recognize the burden on the release engineer, and obviously any burdensome policy needs his OK. But I think the policy should be *effective* too, and I just don't see that a policy that allows such long lags is a more effective security response than a policy that says "the tarballs are deprecated due to security fixes; get your Python by importing the branch, not by fetching a tarball."
Like many other activities we do, if we find ourselves blocking because of resource constraints, we should recruit additional volunteers to reduce the load on any one person. Anthony does a masterful job as release manager, but maybe he would rather someone else perform security releases. (It's not a bad idea anyway so that others have experience doing releases too.)
We should decide what's right for security releases and then assess whether we need to recruit in order to perform that activity the way we want to.
- -Barry