One issue with this approach is that we are advertising that we are preparing a security release by preparing such a release candidate.
I wonder if we need to find a way to produce binaries without leaving an obvious public mark (i.e. private CI, private branch) From: Josh McKenzie <jmcken...@apache.org> Date: Tuesday, 15 February 2022 at 14:09 To: dev@cassandra.apache.org <dev@cassandra.apache.org> Subject: [DISCUSS] Hotfix release procedure On the release thread for 4.0.2 Jeremiah brought up a point about hotfix releases and CI: https://lists.apache.org/thread/7zc22z5vw5b58hdzpx2nypwfzjzo3qbr If we are making this release for a security incident/data loss/hot fix reason, then I would expect to see the related change set only containing those patches. But the change set in the tag here the latest 4.0-dev commits. I'd like to propose that in the future, regardless of the state of CI, if we need to cut a hotfix release we do so from the previous released SHA + only the changes required to address the hotfix to minimally impact our end users and provide them with as minimally disruptive a fix as possible.
