From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 6981513E5 for ; Tue, 11 Sep 2018 18:45:01 +0000 (UTC) Received: from Galois.linutronix.de (Galois.linutronix.de [146.0.238.70]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 03DE03F7 for ; Tue, 11 Sep 2018 18:45:00 +0000 (UTC) Date: Tue, 11 Sep 2018 20:44:52 +0200 (CEST) From: Thomas Gleixner To: Dave Hansen In-Reply-To: Message-ID: References: <20180906225531.GB2251@localhost.localdomain> <20180910232652.GC1764@localhost.localdomain> <20180911084536.GB23570@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Cc: ksummit-discuss@lists.linuxfoundation.org Subject: Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Tue, 11 Sep 2018, Dave Hansen wrote: > > Giving timelines is also very important. Folks spend a lot of time > counting months and weeks back on the calendar from a disclosure date. > The timeline gives them a discrete date to *do* something. Giving a timeline whatfor? How long it takes to fix something? We need to know about the issue first in order to do so. So the simple answer here is ASAP and not when some disclosure manager thinks it's about time. I rather have the fix simmering in my hidden repository for a month or two than having to rush things toward the disclosure date or when the embargo breaks early. But then if we know what it is, it might be trivial to give an ETA and it might be complete guess work for a while until we wrapped our brains around it. Thanks, tglx