[Security-sig] How to document changes related to security in Python changelog?
Barry Warsaw
barry at python.org
Tue Jun 21 18:40:16 EDT 2016
On Jun 21, 2016, at 07:52 AM, Ethan Furman wrote:
>On 06/21/2016 07:07 AM, Victor Stinner wrote:
>> Christian proposed to simply prefix changes with "[Security]".
>
>Seems good to me -- are there any downsides?
Nothing major IMHO. The whole point is to make it easy for downstreams to
identify change. To that effect, I'd mildly prefer a Misc/NEWS section
because it will be easier to pick out the changes, but OTOH "security" issues
can span multiple sections, so it may just be more accurate to add a
[Security] mark to issues that have a security aspect.
Once downstreams are properly trained on the new mark, it should be just as
easy to search for it. It *is* a little difficult to search for specific
issues in NEWS that occur after a given release. I usually search for "What's
new in X.Y" for the baseline X.Y I care about, and then search up for some
reference to the issue I'm looking for. It wouldn't be much extra work to
also search for [Security].
As an aside, when/if we ever get auto-NEWS file generation (to reduce
conflicts), I would love to get the (git) commit id prepended to the NEWS
item. Sure, a particular change can span multiple commits, but the one that
changes NEWS should be enough to quickly jump me to the relevant changes.
Cheers,
-Barry
More information about the Security-SIG
mailing list