Thanks, I incorporated all suggestions into the next version. On Fri, Oct 21, 2022 at 5:11 PM Taylor Blau <me@xxxxxxxxxxxx> wrote: > > On Fri, Oct 21, 2022 at 07:41:49AM +0000, Julia Ramer via GitGitGadget wrote: > > --- > > .../howto/coordinate-embargoed-releases.txt | 175 +++++++++++++++--- > > 1 file changed, 147 insertions(+), 28 deletions(-) > > This version looks great, thanks for your work polishing it up based on > mine and Junio's review. I agree with what Junio said downthread in [1], > and left a few minor nitpicks of my own. > > So, I don't have much to add beyond what Junio wrote. I suspect that > between my feedback below and his in [1], that should be enough to get > v4 ready to be queued. > > > +- The security-list members start a discussion to give an initial > > s/security-list members/members of the git-security list/. > > > + assessment of the severity of the reported potential vulnerability. > > + We aspire to do so within a few days. > > Well put. > > > +- Code review can take place in a variety of different locations, > > + depending on context. These are: patches sent inline on the > > + git-security list, a private fork on GitHub associated with the > > + draft security advisory, or the git/cabal repository. > > + > > + Contributors working on a fix should consider beginning by sending > > + patches to the git-security list (inline with the original thread), > > + since they are accessible to all subscribers, along with the original > > + reporter. > > There is some slightly odd wrapping between this and adjacent bullet > points. It looks like the width of these lines is slightly shorter than > the others. > > > +- Once the review has settled and everyone involved in the review agrees that > > + the patches are ready, the Git maintainer, and others determine a release date > > + as well as the release trains that are serviced. The decision regarding which > > + versions need a backported fix is based on input from the reporter, the > > + contributor who worked on the patches, and from stakeholders. Operators > > There are a few extra spaces between "from stakeholders." and "Operators" > > Thanks, > Taylor > > [1]: https://lore.kernel.org/git/xmqqo7u5m8ku.fsf@gitster.g/
