Re: Why wasn't the 25.3 release based on the then-head of the emacs-25 branch?

[Paul Eggert]

Eli Zaretskii wrote:
> it's naïve to assume
> time frames of minutes for these activities, unless we want to give up
> QA.

It's routine to do the kind of QA that you mention in minutes for projects 
Emacs's size. We're not up to that now, but it's reasonable to make it a goal, 
if this sort of thing is important to us. At any rate the procedure could be 
streamlined considerably compared to what it was last time. Whether it should 
take 10 minutes or 2 hours is not something we need to decide now.

> I still don't understand what you are suggesting, in practical terms,
> and how will this be different from the current procedures, where
> anyone could raise a security issue and propose a solution.

We could try having a better relationship with Debian and one or two others, so 
that the patches they consider to be security issues cause us to consider 
issuing new versions quickly. And we could be more proactive in sending our 
potential security patches to them early in our review process.

> Are Debian and Fedora indeed enough?  What about Red Hat?

Fedora is Red Hat's early version, so we needn't worry about Red Hat separately.

> What about Arch Linux?

They wouldn't make my cut. Others of us might step up to be a liaison. openSUSE 
is also a plausible candidate for that.

> given the sample of distributions, how does one
> figure out which ones of them include a given Emacs changeset, in
> which versions of Emacs, and since what time.

This info is all public now, at least for Debian and Red Hat.