"Martin v. Löwis" writes: > > In general, I recognize the burden on the release engineer, and > > obviously any burdensome policy needs his OK. But I think the policy > > should be *effective* too, and I just don't see that a policy that > > allows such long lags is a more effective security response than a > > policy that says "the tarballs are deprecated due to security fixes; > > get your Python by importing the branch, not by fetching a tarball." > > In effect, this is what the PEP says. That's intentional (i.e. it > is my intention - others may have different intentions). It's the > repository that holds the security patches; the tarballs (and the > version number bumps) are just a convenience. It's not the intentions of the Python developers that is my concern here. In effect, I can read this PEP as saying "we don't take security seriously enough to release in a timely fashion, why should you go to the effort of getting sources and applying patches?" and I fear that many users will do so. I think that the label of "release" is important.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4