Date: Thu, 8 Sep 2022 10:31:20 +1000 From: Kubilay Kocak <koobs@FreeBSD.org> To: Wen Heping <wen@FreeBSD.org>, FreeBSD Python Team <freebsd-python@FreeBSD.org> Subject: lang/python*: Security and bug fix releases not marked or merged Message-ID: <70ef8f8a-1a9e-a1f9-8c22-548eb8423a11@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Hi Wen, The latest round of lang/python* updates (3.9.14 still pending) don't appear to have been marked as security releases (in security/vuxml) or merged to the quarterly branch (for security and bugfixes). lang/python310: Update to 3.10.7 https://cgit.freebsd.org/ports/commit/lang?id=1d9f19a0169e1cdbfedda11b75635fe89444a6c1 https://docs.python.org/release/3.10.7/whatsnew/changelog.html#python-3-10-7-final lang/python37: Update to 3.7.14 https://cgit.freebsd.org/ports/commit/lang?id=7a50813b62ea926b18447a23cd75aa84b5569f22 https://www.python.org/downloads/release/python-3714/ lang/python38: Update to 3.8.14 https://cgit.freebsd.org/ports/commit/lang?id=fddd2fc682516649a9a180d65fbece9c3ff80af0 https://docs.python.org/release/3.8.14/whatsnew/changelog.html lang/python39: Update to 3.9.14 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266286 https://docs.python.org/release/3.9.14/whatsnew/changelog.html Everyone appreciates your time and effort keeping Python language ports up to date, but it's also important that we set a high standards of QA and completeness. It goes without saying that this is especially the case for security issues. Additionally, the Python team has the luxury of having an upstream that has multiple long-lived minor version branches that only receive security and bug fixes (with an explicit no feature change policy). This means that every release after a version x.0 is a bugfix and/or security update, should be merged (merge by default). I'd like to ask (everyone), that all future Python language port updates at a minimum: - Have issues created in Bugzilla - Have at least one other Python team member review/accept before being committed, ideally more. - For maintenance releases (any versions after a *.0), are marked for merging by default (merge-quarterly = ?), and merged before being considered resolved and closing in Bugzilla. - For security updates: Have security/vuxml entry patches attached along side version update patches in Bugzilla -- Regards, Kubilay ^Python
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?70ef8f8a-1a9e-a1f9-8c22-548eb8423a11>