On Tue, Jan 06, 2015 at 09:59:28AM -0800, Justin Pettit wrote: > On Jan 5, 2015, at 7:04 AM, Jiri Benc <jb...@redhat.com> wrote: > > > > On Fri, 2 Jan 2015 13:44:49 -0800, Ben Pfaff wrote: > > > >> +Step 4: Embargoed Disclosure > >> +---------------------------- > >> + > >> +The security advisory and patches are sent to downstream stakeholders, > >> +with an embargo date and time set to 3 to 5 business days from the > >> +time sent. Downstream stakeholders are expected not to deploy or > >> +disclose patches until the embargo is passed. > > > > I suggest to create a closed unarchived mailing list for this, so no > > stakeholder is forgotten if/when the person sending the advisory > > changes. > > The list is configured as closed, but it's archived. In general, I > like to keep archives, since I think it provides useful guidance about > how past activities were handled. Your point about downstream > stakeholders is interesting, though. We should have a list somewhere > about who they are. My initial inclination is to make it part of this > document, but I can also see the argument for it being private. Do we > know how others do it?
We have a closed, archived list for the security team, called ovs-security. I think that Jiri is suggesting that we create another list for downstream stakeholders. That's not a bad idea, for the reasons that Jiri notes. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
