{RHL release} {sha1sum or md5sum of the srpm} {srpmfilename} {Work performed, comments, suggestions} {Vote for Publish or not}
Put all of this in a file and gpg --clearsign the file. Paste the results of the clearsign into bugzilla. Add yourself to the bugzilla CC list if you wish.
Perhaps include references & links to authoritative information, like upstream patches and advisories. This is the kind of information that the packager should post in their initial bugzilla report too, in order to aid reviewers in the verification process. Links to OTHER DISTRIBUTION sources/patches/advisories who patched the same thing would also be helpful in backing up a claim of "see, they did it, so we're probably okay doing it too."
Warren
