Re: Re: Re: [MAINTAINERS SUMMIT] Handling of embargoed security issues -- security@korg vs. linux-distros@

[Alan Coopersmith <alan.coopersmith () oracle com>]

On 8/25/23 04:17, Donald Buczek wrote:
> We heavily rely on the information about kernel security issues published to linux-distros, which we, of course, can 
> only receive via oss-security after the embargo. We analyze each and every new topic on oss-security to decide, whether 
> it is relevant to us and what we can do about it. Nearly all of the userspace issues are of no relevance to us, but 
> many of the kernel issues are, if we happen to run affected kernel versions.

So you rely on oss-security, but not linux-distros.  While every issue that
goes to one of the distros lists must later appear on oss-security, there
is no requirement that everything that comes to oss-security must first
appear on the distros lists, and much of it does not.

One possible outcome could be that issues are only sent to oss-security
once public and not to linux-distros during an embargo period - that would
still satisfy your needs, but make a lot of other folks unhappy.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris