4ee4367072
I've received multiple pleas from downstream stakeholders to give longer notice before publication, since a week can be insufficient time to prep roll-out or package updates for complex vulnerability fixes spanning multiple projects and services. Increase the advance notification from 3-5 business days to 5-10 business days in order to accommodate more complicated advisories, at the coordinator's discretion. Note that we can't go past this if we continue to notify the private linux-distros mailing list at the same time, since their policy is that anything disclosed to them must also be published to the oss-security mailing list within two weeks. Change-Id: I12d057f357b35f62a89654226baaa6c5b83e00dd Signed-off-by: Jeremy Stanley <fungi@yuggoth.org>
Records of each security advisory issued by the OpenStack VMT https://security.openstack.org