Yes. That all sounds reasonable.
We DO timely releases to all (and we pre-announce so people know they’re
coming).
It’s just this extra category of people who get the patch separately, early.
There’s extra overhead in that. And it removes one motivation to update.
I’m kind of inclined to ad
On Wed, Oct 3, 2018 at 2:18 AM Markus Holtermann
wrote:
> Can: yes. Should: no.
Yeah, the idea's been proposed a couple times, and my stance on it is that
I'd quit not just the security team, but everything Django-related, if we
did that. Pay-to-play for security is not acceptable, period.
--
Can: yes. Should: no.
I would be really saddened to see companies being able to buy security by
throwing money at us. That makes us look like we can be bought. And that sends
the wrong signal, from my perspective. Timely security updates should be
available to everyone.
Should enterprises spo
On Sunday, 30 September 2018 06:51:41 UTC+2, James Bennett wrote:
>
> Does anyone else have feedback on this? I'd like to push it forward.
>
I don't know if this would fly but, given that pre-notification is mainly
thought of for large-scale ("enterprise"?) deployments that can't
realistically
Does anyone else have feedback on this? I'd like to push it forward.
On Sun, Aug 26, 2018 at 7:10 AM Adam Johnson wrote:
> Members who are known to the security team to be maintaining codebases
>>
> on unsupported versions of Django will also be asked to provide
>> details of how they plan to mi
>
> Members who are known to the security team to be maintaining codebases
>
on unsupported versions of Django will also be asked to provide
> details of how they plan to migrate to a supported version, and to
> assess whether they still require full notifiations once that
> migration is complete.
There's been some discussion recently amongst the Django security team
regarding the way we handle advance notifications of security isues,
and whether we ought to change that. But since the security team is a
pretty small group, we'd like to take the discussion public and get
broader input before
