Message-ID: From: "sehrope (@sehrope)" To: "pgjdbc/pgjdbc" Date: Thu, 21 May 2026 12:17:43 +0000 Subject: Re: [pgjdbc/pgjdbc] PR #4079: docs: spell out the proactive-security window in SECURITY.md In-Reply-To: References: List-Id: X-GitHub-Author-Login: sehrope X-GitHub-Comment-Id: 4508181215 X-GitHub-Comment-Type: issue_comment X-GitHub-Issue: 4079 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-Type: comment X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/4079#issuecomment-4508181215 Content-Type: text/plain; charset=utf-8 If we split the publication step from the artifact creation then this would be significantly more future proof. Branches should only concern themselves with generating the target artifacts, i.e. the jar and source jar. The checksums, signatures, and publishing should have happen out of band. The only inputs into the publishing step are jars + version numbers and it publishes it to wherever / however we want. No worrying about back branch publication going stale or Sonatype changes not being reflected. Just build the jar however we were building it at the time and handle publication of the artifacts separately. And end-to-end build / test / sign / deliver flow is much more likely to break than just a build one to just produce the jars. This approach also means that porting patches to back branches would only be the patches themselves. We should never have to touch the (at the time) build system.