[Python-Dev] Draft PEP: Maintenance of Python Releases (original) (raw)

Barry Warsaw barry at python.org
Mon May 14 23:43:47 CEST 2007

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On May 14, 2007, at 5:32 PM, Martin v. Löwis wrote:

We should decide what's right for security releases and then assess whether we need to recruit in order to perform that activity the way we want to. I disagree. If you would like to see a certain policy implemented, you need to locate the volunteers first, and only then you can start setting a policy that these volunteers can agree to. When the volunteers then run away, or become inactive, the policy needs revisiting.

These are not mutually exclusive positions, but that's unimportant
because in this specific case, I'm confident we can summon the
necessary manpower.

Still, I'm in agreement with you that the repository holds the
security patches and that the tarballs are a convenience. They are
an important convenience though, so I would say that they should be
released in a timely manner after the commit of the security
patches. I don't think we need to be that exact about spelling out
when that happens.

(I personally would like to see it within "weeks" of a security
patch, not "months" or "years".)

Also, I would like to document explicit that it is the responsibility
of the PSRT (or its designate) to commit security patches to revision
control. The act of committing these patches is a public event and
has an important impact on any embargoes agreed upon by the PSRT with
other organizations.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin)

iQCVAwUBRkjYFHEjvBPtnXfVAQIAfAQAq8052/15WnMqrEyReXJRgeJqtklKzg3f xwVaOdEQjnp0QXAg7tMf29kCxLq6kW6al8DMUPHQcaV9cH7sQcMAon0V9LwiXlwU 3d0Mbvb5RUlpRmfDniQeGljCyCLJZbk+nUbrWbLAtIsrzMaW4FaPUkTUza1ZSIHX nKhsh7fifiM= =kYxd -----END PGP SIGNATURE-----

More information about the Python-Dev mailing list