Re: 回复: lang/python*: Security and bug _fix_releases_not_marked_or_merged

From: Kubilay Kocak <koobs_at_FreeBSD.org>
Date: Thu, 08 Sep 2022 00:54:46 UTC
On 8/09/2022 10:42 am, wen heping wrote:
> The document of vuxml had been committed some minutes ago.
> The merge should be committed after some hours, I would remember it.
> 
> wen

Thanks Wen.

The important part of the message is that for future updates, it would 
be great not to require anyone else to check to make sure security and 
bugfixes are marked and merged and that updates are all tracked (so 
people/the team receive notifications for review, etc).

Ideally, vuxml entries are added as a first step (nothing blocks these), 
while we work on updates, exp-runs and review, so that:

a) users know about security issues as quickly as possible.
b) encourage us to get changes out as quickly as possible.

> ________________________________________
> 发件人: Kubilay Kocak <koobs.freebsd@gmail.com> 代表 Kubilay Kocak <koobs@FreeBSD.org>
> 发送时间: 2022年9月8日 8:31
> 收件人: Wen Heping; FreeBSD Python Team
> 主题: lang/python*: Security and bug fix releases not marked or merged
> 
> Hi Wen,
> 
> The latest round of lang/python* updates (3.9.14 still pending) don't
> appear to have been marked as security releases (in security/vuxml) or
> merged to the quarterly branch (for security and bugfixes).
> 
> lang/python310: Update to 3.10.7
> 
> https://cgit.freebsd.org/ports/commit/lang?id=1d9f19a0169e1cdbfedda11b75635fe89444a6c1
> https://docs.python.org/release/3.10.7/whatsnew/changelog.html#python-3-10-7-final
> 
> lang/python37: Update to 3.7.14
> 
> https://cgit.freebsd.org/ports/commit/lang?id=7a50813b62ea926b18447a23cd75aa84b5569f22
> https://www.python.org/downloads/release/python-3714/
> 
> lang/python38: Update to 3.8.14
> 
> https://cgit.freebsd.org/ports/commit/lang?id=fddd2fc682516649a9a180d65fbece9c3ff80af0
> https://docs.python.org/release/3.8.14/whatsnew/changelog.html
> 
> lang/python39: Update to 3.9.14
> 
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266286
> https://docs.python.org/release/3.9.14/whatsnew/changelog.html
> 
> Everyone appreciates your time and effort keeping Python language ports
> up to date, but it's also important that we set a high standards of QA
> and completeness. It goes without saying that this is especially the
> case for security issues.
> 
> Additionally, the Python team has the luxury of having an upstream that
> has multiple long-lived minor version branches that only receive
> security and bug fixes (with an explicit no feature change policy).
> 
> This means that every release after a version x.0 is a bugfix and/or
> security update, should be merged (merge by default).
> 
> I'd like to ask (everyone), that all future Python language port updates
> at a minimum:
> 
> - Have issues created in Bugzilla
> 
> - Have at least one other Python team member review/accept before being
> committed, ideally more.
> 
> - For maintenance releases (any versions after a *.0), are marked for
> merging by default (merge-quarterly = ?), and merged before being
> considered resolved and closing in Bugzilla.
> 
> - For security updates: Have security/vuxml entry patches attached along
> side version update patches in Bugzilla
> 
> --
> Regards,
> 
> Kubilay
> ^Python