On Wed, Aug 13, 2014 at 01:12:12PM -0400, Henning Horst wrote: > Dear OpenSSL-Team, > > First of all, thank you for your great work! > > I hope openssl-dev is the right list for the following request: > > Many projects rely on OpenSSL of course and whenever a new version is > published fixing security issues, it is more or less a surprise to many. > After the disclosure everyone tries to have their developers jump on > integrating the fixes as soon as possible, but this may take some time > to allocate and coordinate resources, increasing the time to a fixed > version. > > So my question is - would it be reasonable to send an early warning > (without any details) to one of the OpenSSL lists a few days before > publishing a version containing fixes for security vulnerabilities? > Just saying something along the lines of "we plan to release a new > openssl version containing security fixes in about 2 days". Something > like this would help people to already be alarmed and start preparing > resources (if they like to). I think this would help decreasing the time > from the actual disclosure at openssl to fixed version of the respective > project.
We did that with the last release. It was mailed to -dev, -user and -announce list. It was announced the 3rd that we'd be releasing a new update the 6th. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
