[Python-Dev] Draft PEP: Maintenance of Python Releases
Barry Warsaw
barry at python.org
Mon May 14 23:43:47 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On May 14, 2007, at 5:32 PM, Martin v. Löwis wrote:
>> We should decide what's right for security releases and then assess
>> whether we need to recruit in order to perform that activity the
>> way we
>> want to.
>
> I disagree. If you would like to see a certain policy implemented, you
> need to locate the volunteers *first*, and only then you can start
> setting a policy that these volunteers can agree to. When the
> volunteers
> then run away, or become inactive, the policy needs revisiting.
These are not mutually exclusive positions, but that's unimportant
because in this specific case, I'm confident we can summon the
necessary manpower.
Still, I'm in agreement with you that the repository holds the
security patches and that the tarballs are a convenience. They are
an important convenience though, so I would say that they should be
released in a timely manner after the commit of the security
patches. I don't think we need to be that exact about spelling out
when that happens.
(I personally would like to see it within "weeks" of a security
patch, not "months" or "years".)
Also, I would like to document explicit that it is the responsibility
of the PSRT (or its designate) to commit security patches to revision
control. The act of committing these patches is a public event and
has an important impact on any embargoes agreed upon by the PSRT with
other organizations.
- -Barry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iQCVAwUBRkjYFHEjvBPtnXfVAQIAfAQAq8052/15WnMqrEyReXJRgeJqtklKzg3f
xwVaOdEQjnp0QXAg7tMf29kCxLq6kW6al8DMUPHQcaV9cH7sQcMAon0V9LwiXlwU
3d0Mbvb5RUlpRmfDniQeGljCyCLJZbk+nUbrWbLAtIsrzMaW4FaPUkTUza1ZSIHX
nKhsh7fifiM=
=kYxd
-----END PGP SIGNATURE-----
More information about the Python-Dev
mailing list