[Python-Dev] Wanted: members for Python Security Response Team

Guido van Rossum gvanrossum at gmail.com
Sat Feb 5 17:02:46 CET 2005

> How will Python releases made in response to security bugs be done: will
> they just include the security fix (rather than being taken from CVS
> HEAD), without the usual alpha / beta testing cycle?  Or what...?

Depends where you get the release. *Vendors* (ActiveState, Red Hat,
Ubuntu, Debian, etc.) typically release a new version that has *just*
the fix; they have the infrastructure in place to do this sort of
thing quickly and to let their customers benefit quickly.

On python.org, however, we tend to take the maintenance branch for a
particular version (e.g. 2.3.x or 2.4.x), add the fix, and accellerate
the release. For example, we'll release 2.3.5 next week, and 2.4.1
probably some time this month. (In addition, of course, we publish the
raw patch; also, we might end up making exceptions and/or start
following the vendors' example in some or all cases).

--Guido van Rossum (home page: http://www.python.org/~guido/)

More information about the Python-Dev mailing list