[Security-sig] How to document changes related to security in Python changelog?
Victor Stinner
victor.stinner at gmail.com
Wed Jun 22 12:56:39 EDT 2016
I don't think that it matters much at this point. We can start with
the [Security] prefix and decide later to move items to a dedicated
section.
I expect that we have 10 security related changes or less. Maybe I'm
wrong and we have way much than that :-)
Victor
2016-06-22 0:40 GMT+02:00 Barry Warsaw <barry at python.org>:
> On Jun 21, 2016, at 07:52 AM, Ethan Furman wrote:
>
>>On 06/21/2016 07:07 AM, Victor Stinner wrote:
>>> Christian proposed to simply prefix changes with "[Security]".
>>
>>Seems good to me -- are there any downsides?
>
> Nothing major IMHO. The whole point is to make it easy for downstreams to
> identify change. To that effect, I'd mildly prefer a Misc/NEWS section
> because it will be easier to pick out the changes, but OTOH "security" issues
> can span multiple sections, so it may just be more accurate to add a
> [Security] mark to issues that have a security aspect.
>
> Once downstreams are properly trained on the new mark, it should be just as
> easy to search for it. It *is* a little difficult to search for specific
> issues in NEWS that occur after a given release. I usually search for "What's
> new in X.Y" for the baseline X.Y I care about, and then search up for some
> reference to the issue I'm looking for. It wouldn't be much extra work to
> also search for [Security].
>
> As an aside, when/if we ever get auto-NEWS file generation (to reduce
> conflicts), I would love to get the (git) commit id prepended to the NEWS
> item. Sure, a particular change can span multiple commits, but the one that
> changes NEWS should be enough to quickly jump me to the relevant changes.
>
> Cheers,
> -Barry
> _______________________________________________
> Security-SIG mailing list
> Security-SIG at python.org
> https://mail.python.org/mailman/listinfo/security-sig
More information about the Security-SIG
mailing list