[Python-Dev] Draft PEP: Maintenance of Python Releases

[Barry Warsaw]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On May 14, 2007, at 5:32 PM, Martin v. Löwis wrote:

>> We should decide what's right for security releases and then assess
>> whether we need to recruit in order to perform that activity the  
>> way we
>> want to.
>
> I disagree. If you would like to see a certain policy implemented, you
> need to locate the volunteers *first*, and only then you can start
> setting a policy that these volunteers can agree to. When the  
> volunteers
> then run away, or become inactive, the policy needs revisiting.

These are not mutually exclusive positions, but that's unimportant  
because in this specific case, I'm confident we can summon the  
necessary manpower.

Still, I'm in agreement with you that the repository holds the  
security patches and that the tarballs are a convenience.  They are  
an important convenience though, so I would say that they should be  
released in a timely manner after the commit of the security  
patches.  I don't think we need to be that exact about spelling out  
when that happens.

(I personally would like to see it within "weeks" of a security  
patch, not "months" or "years".)

Also, I would like to document explicit that it is the responsibility  
of the PSRT (or its designate) to commit security patches to revision  
control.  The act of committing these patches is a public event and  
has an important impact on any embargoes agreed upon by the PSRT with  
other organizations.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQCVAwUBRkjYFHEjvBPtnXfVAQIAfAQAq8052/15WnMqrEyReXJRgeJqtklKzg3f
xwVaOdEQjnp0QXAg7tMf29kCxLq6kW6al8DMUPHQcaV9cH7sQcMAon0V9LwiXlwU
3d0Mbvb5RUlpRmfDniQeGljCyCLJZbk+nUbrWbLAtIsrzMaW4FaPUkTUza1ZSIHX
nKhsh7fifiM=
=kYxd
-----END PGP SIGNATURE-----