On Thu, Nov 10, 2016 at 11:05:01AM -0700, Nicko van Someren wrote:

One thing I think would be valuable to include in the security process is for
there to be a broadcast mail to some 'announce' mailing list in advance of
patches to high severity issues, indicating that a critical patch is imminent,
with an expected release date but without full details of the issue. For large
users with big IT infrastructure it may be necessary to schedule extra staff to
install urgent patches quickly and having advanced notice of when this will be
necessary is very helpful. Projects like OpenSSL usually send these out three
days before security-critical releases (see?https://goo.gl/BzElRC for
examples).

I think you might want to reconsider that, as over beers, the OpenSSL
team says that this type of thing really doesn't work and just causes
more problems...

But hey, remember that I'm on a project that does weekly releases
without telling anyone what the security fixes we made in them were, so
what do I know? :)

thanks,

greg k-h