> * Is it a good strategy to ship to Python releases for every > single OpenSSL security release or is there a better way to > handle these 3rd party issues ?
At least for Windows, a new release certainly needs to be made. It could be possible to produce MSI patch files, but this would still be a new release. > I think we should link to the OpenSSL libs dynamically rather > than statically in Python 2.7 for Windows so that it's possible > to provide drop-in updates for such issues. It is possible to provide drop-in updates regardless of whether the OpenSSL libs are dynamically linked, as the _ssl module itself is a dynamic lib. > * Should we try to avoid two digit patch level release numbers > by using some other mechanism such as e.g. a release date > after 2.7.9 ? If it was for me, then yes, certainly: the development of 2.7 should just stop :-) > * Should we make use of the potential breakage with 2.7.10 > to introduce a new Windows compiler version for Python 2.7 ? Assuming it is a good idea to continue producing Windows binaries for 2.7, I think it would be a bad idea to switch compilers. It will cause severe breakage of 2.7 installations, much more problematic than switching to two-digit version numbers. Regards, Martin _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
