> On Jan 6, 2015, at 10:09 AM, Ben Pfaff <b...@nicira.com> wrote: > > On Tue, Jan 06, 2015 at 09:59:28AM -0800, Justin Pettit wrote: >> On Jan 5, 2015, at 7:04 AM, Jiri Benc <jb...@redhat.com> wrote: >>> >>> On Fri, 2 Jan 2015 13:44:49 -0800, Ben Pfaff wrote: >>> >>>> +Step 4: Embargoed Disclosure >>>> +---------------------------- >>>> + >>>> +The security advisory and patches are sent to downstream stakeholders, >>>> +with an embargo date and time set to 3 to 5 business days from the >>>> +time sent. Downstream stakeholders are expected not to deploy or >>>> +disclose patches until the embargo is passed. >>> >>> I suggest to create a closed unarchived mailing list for this, so no >>> stakeholder is forgotten if/when the person sending the advisory >>> changes. >> >> The list is configured as closed, but it's archived. In general, I >> like to keep archives, since I think it provides useful guidance about >> how past activities were handled. Your point about downstream >> stakeholders is interesting, though. We should have a list somewhere >> about who they are. My initial inclination is to make it part of this >> document, but I can also see the argument for it being private. Do we >> know how others do it? > > We have a closed, archived list for the security team, called > ovs-security. I think that Jiri is suggesting that we create another > list for downstream stakeholders. That's not a bad idea, for the > reasons that Jiri notes.
Oh, yes. That makes a lot of sense. --Justin _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
