Hi Alexis,

Thanks for that. I read through the Google Doc and added some comments.

One thing I think would be valuable to include in the security process is for there to be a broadcast mail to some 'announce' mailing list in advance of patches to high severity issues, indicating that a critical patch is imminent, with an expected release date but without full details of the issue. For large users with big IT infrastructure it may be necessary to schedule extra staff to install urgent patches quickly and having advanced notice of when this will be necessary is very helpful. Projects like OpenSSL usually send these out three days before security-critical releases (see https://goo.gl/BzElRC for examples).

Cheers,

Nicko

On Thu, Nov 10, 2016 at 10:26 AM, Alexis Richardson <alexis@...> wrote:

+nicko

On Thu, Nov 10, 2016 at 5:21 PM, Dan Kohn via cncf-toc <cncf-toc@...> wrote:

There was a question at the Kubernetes panel Monday night about how to handle security reports now that Kubernetes is a CNCF rather than a Google project. Brandon Phillips seems to have already gotten a good start on this at https://github.com/kubernetes/kubernetes/issues/35462 and in the linked Google Doc. I presume he and Sarah Novotny will let CNCF staff know if they want any CNCF-hosted mailing lists or other infrastructure. But I wanted to flag this publicly in case anyone on the TOC list wanted to chime in. I'm also cc'ing Greg KH, in case he might want to add any comments about the kernel security process. -- Dan Kohn <mailto:dan@...g> Executive Director, Cloud Native Computing Foundation <https://cncf.io/> tel:+1-415-233-1000

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc

--

Nicko van Someren

CTO, Linux Foundation

+1 (978) 821-0391

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc