[Python-Dev] Draft PEP: Maintenance of Python Releases (original) (raw)
Stephen J. Turnbull stephen at xemacs.org
Tue May 15 06:38:09 CEST 2007
- Previous message: [Python-Dev] Draft PEP: Maintenance of Python Releases
- Next message: [Python-Dev] Draft PEP: Maintenance of Python Releases
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"Martin v. Löwis" writes:
In general, I recognize the burden on the release engineer, and obviously any burdensome policy needs his OK. But I think the policy should be effective too, and I just don't see that a policy that allows such long lags is a more effective security response than a policy that says "the tarballs are deprecated due to security fixes; get your Python by importing the branch, not by fetching a tarball."
In effect, this is what the PEP says. That's intentional (i.e. it is my intention - others may have different intentions). It's the repository that holds the security patches; the tarballs (and the version number bumps) are just a convenience.
It's not the intentions of the Python developers that is my concern here. In effect, I can read this PEP as saying "we don't take security seriously enough to release in a timely fashion, why should you go to the effort of getting sources and applying patches?" and I fear that many users will do so. I think that the label of "release" is important.
- Previous message: [Python-Dev] Draft PEP: Maintenance of Python Releases
- Next message: [Python-Dev] Draft PEP: Maintenance of Python Releases
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]