On Wed, Jan 5, 2011 at 1:05 PM, Russell Keith-Magee <[email protected]> wrote: > > We will obviously to do a 1.2.5 release when we hit 1.3 final; but I'm > not sure if we should push an 1.2.5 (and 1.1.4) ASAP addressing these > regressions, and then do 1.2.6 when we cut 1.3 final. > > This also points out that we should perhaps reconsider our release > policy. Putting out security releases that include unrelated fixes is > a bit of a risk. We've been bitten by this in the past, but never this > bad. I would suggest that when security issues arises in 1.2.3, we > should be releaseing 1.2.3.1 rather than 1.2.4. If a security release > coincides with a point release -- as it did when we released 1.3beta1 > -- we should release 1.2.3.1 (to address the security issue) *and* > 1.2.4 (to get the other bugfixes). This will ensure that it is > possible to update production code and get just the security fix, > without any risk of regressions. > > Any opinions on these two points?
I agree with getting a 1.2.5 ASAP. Also, it has always been my thought that the security releases should contain only the security fix(es) that trigger them, and always asked myself if it would be too crazy to propose a four-component A.B.C.D versioning schema. IT policies that force users to only install releases software won't allow people to run a 1.2.3 with the security fixes manually applied over it, and user won't dare to go straight to e.g. 1.2.4 based on knowledge of our release policy plus experience of regressions in other parts of the framework in security releases. Data point: Ubuntu has released these two security fixes for their users not by packaging 1.2.4 but by creating a 1.2.3-1ubuntu0.2.11.04.1 (talk about long package release numbers) I suspected they simply applied the patches linked from the announcement. http://changelogs.ubuntu.com/changelogs/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.11.04.1/changelog The only issue I have with these two yes it that they mean adding burden to our release manager. But maybe that's topic for another discussion. Regards, -- Ramiro Morales -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
