On Thu, Sep 05, 2002 at 04:51:56PM -0700, Aaron Bannert wrote: >... > > We can make a branch for a security release after the fact, either > > off the last release or off the pre-auth-change tag and then build > > a security-fix-only release off that branch. > > Why would we branch for a security fix in lieu of just branching > a sandbox for the auth developers to play in -- in the first place?
Quite simple, actually. You put the developers in definite pain by making them branch, compared to a *potential* pain of a branch for a security fix. "pain" being arguable, of course -- it all depends upon people's aversion to CVS branches. But there is real pain in the sense that a person will be working by themselves, rather than in the trunk where others will verify the work being completed. And in any case, a branch for a security fix will most likely be done against the 2.0.40 tag, rather than the head. People are going to patch against 2.0.40, if anything. And, honestly, I think people are simply way to frickin' scared here. You should stop and look at the patches that Dirk and Justin have written and are proposing. There is existing code for this. It is mostly *other* people who are talking about destabilizing. Not Justin. Cheers, -g -- Greg Stein, http://www.lyra.org/
