On 5/15/26 04:49, Yves-Alexis Perez wrote: > On Wed, 2026-04-29 at 19:22 +0200, Willy Tarreau wrote: >> I'm increasingly doing that myself already, and predicted the death of >> embargoes a serveral months ago. Now I just remove unneeded details from >> commit messages, merging and issue releases to keep users protected. > > Hey Willy, > > Unfortunately that also has the side effects to hide security-relevant commits > from downstream integrators and users. Not that we really have the time to dig > each and every commit of each and every project (especially fast moving ones) > but we definitely miss things here and there without a heads up.
I think the current upstream view is that one shouldn't bother doing this and just upgrade to the next release. Unfortunately, nowadays one can't even wait for a release, so one must look through individual commits. I wish Linux adopted the Xen Project Security Policy, but that would probably require a bunch of extra people. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
