I've received multiple pleas from downstream stakeholders to give
longer notice before publication, since a week can be insufficient
time to prep roll-out or package updates for complex vulnerability
fixes spanning multiple projects and services.
Increase the advance notification from 3-5 business days to 5-10
business days in order to accommodate more complicated advisories,
at the coordinator's discretion.
Note that we can't go past this if we continue to notify the private
linux-distros mailing list at the same time, since their policy is
that anything disclosed to them must also be published to the
oss-security mailing list within two weeks.
Change-Id: I12d057f357b35f62a89654226baaa6c5b83e00dd
Signed-off-by: Jeremy Stanley <fungi@yuggoth.org>
4ee4367072
