On Oct 01, 2012, at 01:30 PM, Martin v. Löwis wrote: >I had meant to write a PEP on security releases for several >years now.
+1 >Since this still doesn't exist, here is the outline >of the procedures that maintainers have agreed upon: >- bug fix releases are made until the next feature release is > out (with 2.7 being an exception from that rule) >- security fixes are being provided until 5 years after the initial > release of the feature release > * for 2.6, this will be until Oct 1, 2013 > * for 3.1, this will be until July 27, 2014 > * for 3.2, this will be until Feb 20, 2016 > The 5 years horizon is based on requests of system packagers > (Linux distributions in particular), who often also have 5-year > cycles for long-term support. >- security releases are made whenever maintainers deem it necessary; > the two options are > * commit fixes into source repository only, and release whenever > enough time has passed, or enough changes have accumulated, or > * release right after a security issue has been resolved > Which of these to take depends on the nature of the fix, of course. > The former is intended for system packagers of Python - they can > incorporate fixes that are official already despite not having been > released yet. The only thing missing is whether releases are made source-only or with binary packages for Windows and Mac. My understanding is that once a release goes into security-only mode, binary releases cease. Cheers, -Barry _______________________________________________ python-committers mailing list python-committers@python.org http://mail.python.org/mailman/listinfo/python-committers
