SECURITY: minor updates

- we allow the security push up to 48 hours before the release

- add a mention about possible pre-notifications

- lower case the 'curl-security' title
This commit is contained in:
Daniel Stenberg 2016-10-27 10:21:52 +02:00
parent 50ef91b59a
commit a65db0bbcb

View File

@ -75,9 +75,11 @@ announcement.
to the 'distros' mailing list to allow them to use the fix prior to the
public announcement.
- At the day of the next release, the private branch is merged into the master
branch and pushed. Once pushed, the information is accessible to the public
and the actual release should follow suit immediately afterwards.
- No more than 48 hours before the release, the private branch is merged into
the master branch and pushed. Once pushed, the information is accessible to
the public and the actual release should follow suit immediately afterwards.
The time between the push and the release is used for final tests and
reviews.
- The project team creates a release that includes the fix.
@ -88,9 +90,19 @@ announcement.
- The security web page on the web site should get the new vulnerability
mentioned.
Pre-notification
----------------
If you think you are or should be eligible for a pre-notifcation about
upcoming security announcements for curl, we urge OS distros and similar
vendors to primarily join the distros@openwall list as that is one of the
purposes of that list - and not just for curl of course.
CURL-SECURITY (at haxx dot se)
If you are not a distro or otherwise not suitable for distros@openwall and yet
want pre-notifications from us, contact the curl security team with a detailed
and clear explanation why this is the case.
curl-security (at haxx dot se)
------------------------------
Who is on this list? There are a couple of criteria you must meet, and then we