I think we should have a discussion to change the way netbsd releases and security advisories are done. they seem to be suitable for a large company, and netbsd is doesn't keep up with it.
security advisories are extremely tiresome to write, and contain a lot of useless information. All I care is "is this security? how bad is it? maybe tell me a little about it? and give me a binary fixing it". Instead we include information about CVS revisions for people who might want to cherry pick the result, which is a lot of work to create and has marginal use. We also don't provide the binaries. Moreso, people downloading netbsd after the fix do not get a fixed version. We are able to build a full release daily, but have infrequent and time-consuming teeny releases. snj goes through a lot of work to put together release notes for teeny releases and updating in several places. It would be more effective use of resources if we did a weekly signed build and pointed downloads to it, and provides the CHANGES entry somewhere on the website.