Robert Collins wrote: > What if we were to always do a release after a security advisory?
We don't do a server "stable release" after each security advisory as it doesn't significantly help spreading the fix, but I agree that for client libraries (where the PyPI releases are the main form of downstream consumption of the fix) it makes sense to tag and trigger a new PyPI release after each security advisory. These were the first advisories on client libraries, but with Keystone middleware being shipped within python-keystoneclient, I expect more in the future. -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
