[Python-Dev] Draft PEP: Maintenance of Python Releases

Barry Warsaw barry at python.org
Mon May 14 23:43:47 CEST 2007

Hash: SHA1

On May 14, 2007, at 5:32 PM, Martin v. Löwis wrote:

>> We should decide what's right for security releases and then assess
>> whether we need to recruit in order to perform that activity the  
>> way we
>> want to.
> I disagree. If you would like to see a certain policy implemented, you
> need to locate the volunteers *first*, and only then you can start
> setting a policy that these volunteers can agree to. When the  
> volunteers
> then run away, or become inactive, the policy needs revisiting.

These are not mutually exclusive positions, but that's unimportant  
because in this specific case, I'm confident we can summon the  
necessary manpower.

Still, I'm in agreement with you that the repository holds the  
security patches and that the tarballs are a convenience.  They are  
an important convenience though, so I would say that they should be  
released in a timely manner after the commit of the security  
patches.  I don't think we need to be that exact about spelling out  
when that happens.

(I personally would like to see it within "weeks" of a security  
patch, not "months" or "years".)

Also, I would like to document explicit that it is the responsibility  
of the PSRT (or its designate) to commit security patches to revision  
control.  The act of committing these patches is a public event and  
has an important impact on any embargoes agreed upon by the PSRT with  
other organizations.

- -Barry

Version: GnuPG v1.4.7 (Darwin)


More information about the Python-Dev mailing list