Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Suggest improvements to Twisted's release process #11940

Closed
richvdh opened this issue Feb 8, 2022 · 7 comments
Closed

Suggest improvements to Twisted's release process #11940

richvdh opened this issue Feb 8, 2022 · 7 comments
Labels
T-Task Refactoring, removal, replacement, enabling or disabling functionality, other engineering tasks.

Comments

@richvdh
Copy link
Member

richvdh commented Feb 8, 2022

The Twisted team have recently made a couple of releases in quick succession, both addressing security issues as well as including other changes. This has been difficult for both us and our downstream packagers to work with.

The Twisted release manager would welcome suggestions for improvements for this process in the form of a PR to https://github.com/twisted/twisted/blob/trunk/docs/core/development/policy/release-process.rst. It would be great if we could find the time to do this.
@richvdh
Copy link
Member Author

richvdh commented Feb 8, 2022

(it might also be helpful if we could document our own release cycle, if for no other reason than to document a way that works for us.)

@reivilibre
Copy link
Contributor

On the topic of library security vulnerability announcements, I seem to remember that I like OpenSSL's way of doing things where they give some advance notice before making a security release, along with the severity of the security release. Something like that would probably make sense for Twisted since it's a library — and it could be useful to mention a broad category (DoS? Information disclosure? etc) so that library users have a clue about what to expect.

@clokep clokep mentioned this issue Feb 9, 2022
Merged
@clokep
Copy link
Member

clokep commented Feb 9, 2022

(it might also be helpful if we could document our own release cycle, if for no other reason than to document a way that works for us.)

I've started this at #11954.

@clokep clokep added the T-Task Refactoring, removal, replacement, enabling or disabling functionality, other engineering tasks. label Feb 9, 2022
@adiroiban
Copy link

True. A pre-release would be nice.

If people are hanging at IRC or Gitter, we talk about the release and pre-release and the planning... so you somehow get that info :)

Another option for release docs:
https://github.com/pyca/cryptography/blob/main/docs/doing-a-release.rst

@callahad
Copy link
Contributor

We'll take an hour and throw together a PR to Twisted's release process as a strawman, but ultimately the folks who do the releases are the ones who have to accept and implement any changes, so we want to strongly defer to them rather than trying to arguing the specifics of any given change.

As mentioned in comments above, there is lots of great prior art. Django's is decent, too: https://docs.djangoproject.com/en/dev/internals/security/#how-django-discloses-security-issues

@adiroiban
Copy link

Twisted PR at twisted/twisted#1712 if you want to send your feedback. Thanks!

@callahad
Copy link
Contributor

callahad commented Apr 6, 2022

Thank you for doing that, Adi! Will leave a comment over there, closing this issue here.

@callahad callahad closed this as completed Apr 6, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
T-Task Refactoring, removal, replacement, enabling or disabling functionality, other engineering tasks.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@callahad @adiroiban @clokep @richvdh @reivilibre