On 4/17/08, Jim Popovitch wrote: > I think the process needs to change and have security issues handled > outside of normal releases.
Which is what normally happens in the process as it currently exists. It's just that, in this particular case, this bug wasn't exposed until an earlier 2.1.10b version was released, and then we fixed this security hole. So, in this case, to get the security fix you need to install the latest 2.1.10rc (which includes additional functionality), as opposed to a patch to a previous 2.1.9 version (which would presumably include just the security fix). To go down the road you suggest would mean that we'd be responsible for back-porting all security-only fixes to all previous versions of Mailman, as a completely separate release tree from the new development work. Speaking only for myself, this seems to be a significant additional amount of work, and I think it's unlikely to happen unless we get a lot more resources on this project. We'd need developers working on new code, developers working exclusively on security fixes, and a separate Release Engineer whose sole responsibility is to manage the process of creating appropriate patch releases as well as sheparding the new development releases. FreeBSD can get away with that, because they've got a lot more people working on the project, and a lot more money supporting those people. I doubt we're ever going to be in a position to do something like that ourselves. In this project, most people have to wear multiple hats, and work on new development, security fixes, and release engineering, all at the same time. > And for the record, I would be very willing to help out (i have python > skils), but $DAYJOB legally prevents me from pretty much actively > getting involved. Further, if I did contribute code, it could open > Mailman up to legal issues. But, testing, etc, are ok because they > are not IP related. You could take over the Release Engineering job, and manage the two separate security patch-only releases as well as the new-development releases. -- Brad Knowles <[EMAIL PROTECTED]> LinkedIn Profile: <http://tinyurl.com/y8kpxu> ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp