We've done concurrent releases without security before, and you follow much > closer than others. I feel most people, if they saw all of the > changes reverted and a release of a single fix, would either instantly know > it's security (high confidence pointer to exactly which patch) OR assume > someone botched the release prep and draw attention to it. So we're trading > "someone who's very involved has a high confidence it's security but has to > dig through 30 patches to find it" vs "everyone knows exactly what's going > on", the former seems better >
My initial thoughts are aligned with what Jeff writes here. Furthermore when you apply our new-found practice of stable trunk and focus on QA, which I hope is continuously improving, this point only becomes more valid. And how to do CI (we need a green CI for a release remember ;) on a private commit is something i really am unsure how we would do…
