I don't think that it matters much at this point. We can start with the [Security] prefix and decide later to move items to a dedicated section. I expect that we have 10 security related changes or less. Maybe I'm wrong and we have way much than that :-) Victor 2016-06-22 0:40 GMT+02:00 Barry Warsaw <barry@python.org>:
On Jun 21, 2016, at 07:52 AM, Ethan Furman wrote:
On 06/21/2016 07:07 AM, Victor Stinner wrote:
Christian proposed to simply prefix changes with "[Security]".
Seems good to me -- are there any downsides?
Nothing major IMHO. The whole point is to make it easy for downstreams to identify change. To that effect, I'd mildly prefer a Misc/NEWS section because it will be easier to pick out the changes, but OTOH "security" issues can span multiple sections, so it may just be more accurate to add a [Security] mark to issues that have a security aspect.
Once downstreams are properly trained on the new mark, it should be just as easy to search for it. It *is* a little difficult to search for specific issues in NEWS that occur after a given release. I usually search for "What's new in X.Y" for the baseline X.Y I care about, and then search up for some reference to the issue I'm looking for. It wouldn't be much extra work to also search for [Security].
As an aside, when/if we ever get auto-NEWS file generation (to reduce conflicts), I would love to get the (git) commit id prepended to the NEWS item. Sure, a particular change can span multiple commits, but the one that changes NEWS should be enough to quickly jump me to the relevant changes.
Cheers, -Barry _______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig