That's interesting feedback. I was speaking to the VP of infrastructure at a major bank last week and he said that having a heads up from OpenSSL helps him hugely and he wished that more projects did it. I also had a request from one of the CII members asking for the same thing. Who in the OpenSSL team felt it didn't work? I would be interested to know what problems they find with this.

Cheers,
Nicko

On Thu, Nov 10, 2016 at 12:17 Greg KH <gregkh@...> wrote:

On Thu, Nov 10, 2016 at 11:05:01AM -0700, Nicko van Someren wrote:
> One thing I think would be valuable to include in the security process is for
> there to be a broadcast mail to some 'announce' mailing list in advance of
> patches to high severity issues, indicating that a critical patch is imminent,
> with an expected release date but without full details of the issue. For large
> users with big IT infrastructure it may be necessary to schedule extra staff to
> install urgent patches quickly and having advanced notice of when this will be
> necessary is very helpful. Projects like OpenSSL usually send these out three
> days before security-critical releases (see https://goo.gl/BzElRC for
> examples).

I think you might want to reconsider that, as over beers, the OpenSSL
team says that this type of thing really doesn't work and just causes
more problems...

But hey, remember that I'm on a project that does weekly releases
without telling anyone what the security fixes we made in them were, so
what do I know? :)

thanks,

greg k-h