[Python-Dev] Draft PEP: Maintenance of Python Releases

Stephen J. Turnbull stephen at xemacs.org
Tue May 15 06:38:09 CEST 2007

"Martin v. Löwis" writes:

 > > In general, I recognize the burden on the release engineer, and
 > > obviously any burdensome policy needs his OK.  But I think the policy
 > > should be *effective* too, and I just don't see that a policy that
 > > allows such long lags is a more effective security response than a
 > > policy that says "the tarballs are deprecated due to security fixes;
 > > get your Python by importing the branch, not by fetching a tarball."
 > In effect, this is what the PEP says.  That's intentional (i.e. it
 > is my intention - others may have different intentions). It's the
 > repository that holds the security patches; the tarballs (and the
 > version number bumps) are just a convenience.

It's not the intentions of the Python developers that is my concern
here.  In effect, I can read this PEP as saying "we don't take
security seriously enough to release in a timely fashion, why should
you go to the effort of getting sources and applying patches?" and I
fear that many users will do so.  I think that the label of "release"
is important.

More information about the Python-Dev mailing list