On Jan 5, 2015, at 7:04 AM, Jiri Benc <jb...@redhat.com> wrote: > > On Fri, 2 Jan 2015 13:44:49 -0800, Ben Pfaff wrote: > >> +Step 4: Embargoed Disclosure >> +---------------------------- >> + >> +The security advisory and patches are sent to downstream stakeholders, >> +with an embargo date and time set to 3 to 5 business days from the >> +time sent. Downstream stakeholders are expected not to deploy or >> +disclose patches until the embargo is passed. > > I suggest to create a closed unarchived mailing list for this, so no > stakeholder is forgotten if/when the person sending the advisory > changes.
The list is configured as closed, but it's archived. In general, I like to keep archives, since I think it provides useful guidance about how past activities were handled. Your point about downstream stakeholders is interesting, though. We should have a list somewhere about who they are. My initial inclination is to make it part of this document, but I can also see the argument for it being private. Do we know how others do it? --Justin _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
