Hi,

I wonder if we could co-ordinate early disclosure of forthcoming security fixes, such as that due on 4th March, to nominated contacts at the various distributions. I speak only with a Debian hat, of course.

The problem I have currently is that I don't know what the content or severity of these releases is in advance of the day, and so can't prepare and test packages satisfactorily ahead of the release. I also can't guarantee how much spare capacity I have around that time.

If we knew in advance what was coming up, we could prepare packages and release them immediately after the upstream release. For Debian at least, we already have the infrastructure to build and test in advance and then just hit 'go' when the time comes.

This would also give us more time to prepare and test backports to older versions, such as the 1.15 we currently have in stable and will have for at least the next 12 months.

I would envisage such advance disclosures being embargoed and encrypted, naturally.

Thanks,