On Thu, Nov 13, 2008 at 12:35 PM, Aaron W. Hsu <[EMAIL PROTECTED]> wrote: > Is security-announce an open list? If not, give me access and I'll > keep it reasonably up to date, give or take a day or so of release of > the Security Errata on the website, unless there is an even faster way > of checking it out, such as CVS.
It is moderated, and really, outsiders should not be posting to it because then it appears that they have some position of authority. The only person who should be posting to the list is the person who made the fix, because they are the security contact. When people reply, it is important they are talking to the right person. What you can do is monitor the list. If an erratum comes out and nothing happens for a day, email the person responsible and remind them. The person responsible is not necessarily the person who happened to commit to stable, though, it's the person who made the original fix. There's no announcements on the list because probably half the developers don't know they are supposed to make such announcements.
