[Python-Dev] Draft PEP: Maintenance of Python Releases

"Martin v. Löwis" martin at v.loewis.de
Tue May 15 06:55:35 CEST 2007

>  > In effect, this is what the PEP says.  That's intentional (i.e. it
>  > is my intention - others may have different intentions). It's the
>  > repository that holds the security patches; the tarballs (and the
>  > version number bumps) are just a convenience.
> It's not the intentions of the Python developers that is my concern
> here.  In effect, I can read this PEP as saying "we don't take
> security seriously enough to release in a timely fashion, why should
> you go to the effort of getting sources and applying patches?" and I
> fear that many users will do so.  I think that the label of "release"
> is important.

[Not sure who "you" is above: who should or should not go to the effort
of getting sources, and what patches should they apply?]

I don't think I can be more plain than that: yes, I do not take security
seriously enough to release security fixes for old Python versions more
than once a year. As a user, it's easy to demand things, and people
really have to learn that in open source, all things are done by
volunteers, and that demanding gets you nowhere. To get a better
service, somebody really has to volunteer and offer it.


More information about the Python-Dev mailing list