Dear OpenSSL-Team, First of all, thank you for your great work!
I hope openssl-dev is the right list for the following request: Many projects rely on OpenSSL of course and whenever a new version is published fixing security issues, it is more or less a surprise to many. After the disclosure everyone tries to have their developers jump on integrating the fixes as soon as possible, but this may take some time to allocate and coordinate resources, increasing the time to a fixed version. So my question is - would it be reasonable to send an early warning (without any details) to one of the OpenSSL lists a few days before publishing a version containing fixes for security vulnerabilities? Just saying something along the lines of "we plan to release a new openssl version containing security fixes in about 2 days". Something like this would help people to already be alarmed and start preparing resources (if they like to). I think this would help decreasing the time from the actual disclosure at openssl to fixed version of the respective project. Thanks and Best Regards, Henning ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
