When we do a security release, we upload a *.txt advisory to
https://subversion.apache.org/security/ and link it from the
announcement.  That advisory isn't currently signed.  Could we sign
them?

That'd be useful, since they contain patches.  They are already signed
in the "embargoed pre-notification" emails, IIRC; just not when they're
uploaded to the site.

Cheers,

Daniel

P.S. I couldn't find where the "Security release checklist" that the RM
follows for security releases is.  Any pointers?

Reply via email to