On 06/19/2017 03:35 PM, William A Rowe Jr wrote:
Not to announce@httpd? users@ and dev@ aren't particularly broadcast channels.announce@a.o might be too wide an audience, but that's why we document the CVE's with short notes in the foundation-wide release announcement. At least, used to document them.
I was following Jim's lead on the first CVE announcement. I'm not opposed to a [SECURITY] announcement for all five; just timid. :)
Any opposed to me copying all five to announce@httpd? --Jacob