On 05/05/2017 05:39 AM, Eric Covener wrote:
Here is the change that probably has the biggest impact to the community:
"""
...
The project team commits the fix. No reference should be made to the
commit being related to a security vulnerability.
This is the only part that makes me nervous, since I worry it'll
encourage obscure commits, but otherwise...
To me, this is just a way to get us out of ambiguity/stalemate about
the overall process and follow security@a.o's best practices.
Thoughts?
...I'm +1 to adopting the standard process in its entirety. We can
always modify pieces later if they end up not working for us.
--Jacob