I'd like to reference and summarize some relevant mails from private@: [[[ Date: Fri, 29 Mar 2013 07:07:12 +0300 From: Daniel Shahaf To: priv...@subversion.apache.org Subject: PGP encrypting pre-notification recipients Message-ID: <20130329040712.GA2958@lp-shahaf.local> ]]]
tl;dr Should we PGP-encrypt the pre-notification emails? [[[ Date: Wed, 7 Aug 2013 11:38:36 +0300 From: Daniel Shahaf To: priv...@subversion.apache.org Subject: Security patches release process Message-ID: <20130807083836.GF3007@lp-shahaf.local> ]]] tl;dr Describes the process we used. Proposes an alternative that doesn't use security-by-obscurity: basically, to pre-notify and release a signed .diff file in lieu of a tarball. The .diff and .diff.asc would be subject to the same substantive and formal requirement as any other release artifact: voting, detached PGP signature, distributed on the mirrors, etc. (The email lists that under "v3".) It's based on our historical process of preparing tarballs and voting on them in private, tarballs that differ from the preceding release by exactly the security patch and nothing else. (Example: diff 1.5.6 to 1.5.7.) [[[ Date: Sat, 12 Jan 2019 15:17:17 +0000 From: Daniel Shahaf To: priv...@subversion.apache.org Subject: Re: A volunteer to announce and close the fixed security issues? Message-Id: <1547306237.108755.1632733392.3e962...@webmail.messagingengine.com> ]]] tl;dr Writes down some of the "How to retroactively notify a security release" process.
