When we do a security release, we upload a *.txt advisory to https://subversion.apache.org/security/ and link it from the announcement. That advisory isn't currently signed. Could we sign them?
That'd be useful, since they contain patches. They are already signed in the "embargoed pre-notification" emails, IIRC; just not when they're uploaded to the site. Cheers, Daniel P.S. I couldn't find where the "Security release checklist" that the RM follows for security releases is. Any pointers?
