On Fri, Oct 21, 2022 at 07:41:49AM +0000, Julia Ramer via GitGitGadget wrote: > --- > .../howto/coordinate-embargoed-releases.txt | 175 +++++++++++++++--- > 1 file changed, 147 insertions(+), 28 deletions(-) This version looks great, thanks for your work polishing it up based on mine and Junio's review. I agree with what Junio said downthread in [1], and left a few minor nitpicks of my own. So, I don't have much to add beyond what Junio wrote. I suspect that between my feedback below and his in [1], that should be enough to get v4 ready to be queued. > +- The security-list members start a discussion to give an initial s/security-list members/members of the git-security list/. > + assessment of the severity of the reported potential vulnerability. > + We aspire to do so within a few days. Well put. > +- Code review can take place in a variety of different locations, > + depending on context. These are: patches sent inline on the > + git-security list, a private fork on GitHub associated with the > + draft security advisory, or the git/cabal repository. > + > + Contributors working on a fix should consider beginning by sending > + patches to the git-security list (inline with the original thread), > + since they are accessible to all subscribers, along with the original > + reporter. There is some slightly odd wrapping between this and adjacent bullet points. It looks like the width of these lines is slightly shorter than the others. > +- Once the review has settled and everyone involved in the review agrees that > + the patches are ready, the Git maintainer, and others determine a release date > + as well as the release trains that are serviced. The decision regarding which > + versions need a backported fix is based on input from the reporter, the > + contributor who worked on the patches, and from stakeholders. Operators There are a few extra spaces between "from stakeholders." and "Operators" Thanks, Taylor [1]: https://lore.kernel.org/git/xmqqo7u5m8ku.fsf@gitster.g/
