[TYPO3-core] Combining security and bugfix releases

[Steffen Gebert]

Hi Christian,

> I've decided to dare publicly questioning the choice to make 4.5.9 a
> combined bugfix and security release here. I was rather worried
> when I saw that this was the case because I believe that security
> releases should never take their chances of breaking things unrelated
> to the security problem.

I understand your concerns and think that Ernesto already gave a very 
good insight of what is happening "behind the scenes".

One thing I still want to add: Ernesto explained that we had ~one year 
ago the policy to have a bug-fix release, then a week commit freeze and 
then the security release. However, then at the 2nd or 3rd time there 
was a regression caused by a security fix itself - and that was when 
this policy has been dropped again, as there was no benefit, just more 
people complaining that they have to update again.

As already said: Usually everything is reviewed - except very few sub 
parts of the core (like htmlarea) for which the maintainer has the 
permission to directly merge, as there would be hardly no reviewer 
available who knows that code.
So if we would have more people interested in maintaing htmlarea or 
those sub parts, this might not have been happened. Still, there's the 
lack of manpower to do it better.

Of course, regressions in security releases suck badly - but I guess 
there's no royal road - except more automated tests, more reviewers, 
more .. - more man power!

Kind regards
Steffen

-- 
Steffen Gebert
TYPO3 v4 Core Team Member
TYPO3 Server Administration Team Member

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org