>But if one wants to have the offical release + all security fixes
>without "untested" features from the "stable" (e.g. netbsd-1-5) branch?
>Ever followed FreeBSD -STABLE and saw things break on production
>systems? I have and I don't want to see that again. The FreeBSD's RELENG_4_3
>branch is just what I needed.

	no untested features should appear into netbsd-1-5 branch, since
	netbsd-1-5 branch should have no new things (everything has to be
	merged into from main trunk = current).

>What I'd like to see in NetBSD is something like this:
>
>==+================= current
>  |
>  +======+===== netbsd-1-5
>    ^    |
>    |    +===== netbsd-1-5-2
>    |     ^
>    |     |
>    |     netbsd-1-5-PATCH002
>    |
>    netbsd-1-5-PATCH001
>
>So every release (e.g. the forthcoming 1.5.2) will be a BRANCH, not
>a normal tag, and this branch would include all the security fixes.
>Syncing againts this tag would get only the security fixes, nothing more.
>
>    # cvs -q update -r netbsd-1-5-PATHC002 -dP      # 1.5.2
>    # cvs -q update -r netbsd-1-5-2 -dP             # 1.5.2 + security fixes
>
>When a release (major or patch release) is released :-) the branch and
>the release tag point to identical set of files. Later, when service
>foo is fixed for some attack, the fix is also pulled into the
>netbsd-1-5-2 branch. The security advisory then advises people to fetch the
>latest sources for the netbsd-1-5-2 branch  or patch the sources manually
>as before.

	what will happen to netbsd-1-5 branch, and who will pull in
	security fixes to all those branches (main trunk, netbsd-1-5,
	netbsd-1-5-2)?  i like the current strategy better.

itojun