Hello, I'm the primary maintainer of CPython packages in Gentoo. I would like to discuss possible improvement to the release process in order to accelerate releasing security fixes to users.
I feel that vulnerability fixes do not make it to end users fast enough. For example, according to the current release schedules for 3.9 and 3.8, the bugfix releases are planned two months apart. While the release is expected to happen in the next few days, both versions are known to be vulnerable for almost a month! Ironically, things look even worse for security-supported versions. Please correct me if I'm wrong but both 3.7 and 3.6 seem to be behind schedule (planned for Jan 15th), and they are known to be vulnerable since mid-October. In my opinion, this causes three issues: 1. Users using official releases are exposed to security vulnerabilities for prolonged periods of time. 2. When releases happen, security fixes are often combined with many other changes. This causes problems for distribution maintainers who, on one hand, would like to deploy the security fixes to production versions ASAP, and on the other, would prefer that the new version remained in testing for some time due to the other changes. 3. Effectively, it means that distribution developers need to track and backport security fixes themselves. In the end, this means a lot of duplicate work. I think that security fixes are important enough to justify not sticking to a strict release schedule. Therefore, I would like to propose that if vulnerability fixes are committed, new releases are made as frequently as necessary and as soon as possible (i.e. possibly giving some time for testing) rather than according to a strict schedule. Furthermore, I think that at least for branches that are in higher level of maintenance than security, it could make sense to actually make security releases (e.g. 3.9.1.x) that would include only security fixes without other changes. What do you think? -- Best regards, Michał Górny _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/VKIRQTSQCO3MTXS57MDGJE6FH3PJCEBI/ Code of Conduct: http://python.org/psf/codeofconduct/
