[1/2] doc/security: clarify pre-release end of the embargo date
Checks
Commit Message
Clarify that a fixed date will be used for end of embargo (public
disclosure) date while communicating with downstream stakeholders.
Initial document got a review that it gives an impression that
communicated embargo date can be a range like 'less than a week' which
is not the case. The range applies when defining the end of the embargo
date but a fix date will be communicated.
Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
---
doc/guides/contributing/vulnerability.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
> -----Original Message-----
> From: Yigit, Ferruh
> Sent: Monday, June 17, 2019 5:07 PM
> To: Mcnamara, John <john.mcnamara@intel.com>; Kovacevic, Marko
> <marko.kovacevic@intel.com>
> Cc: dev@dpdk.org; Thomas Monjalon <thomas@monjalon.net>; Maxime Coquelin
> <maxime.coquelin@redhat.com>
> Subject: [PATCH 1/2] doc/security: clarify pre-release end of the embargo
> date
>
> Clarify that a fixed date will be used for end of embargo (public
> disclosure) date while communicating with downstream stakeholders.
>
> Initial document got a review that it gives an impression that
> communicated embargo date can be a range like 'less than a week' which is
> not the case. The range applies when defining the end of the embargo date
> but a fix date will be communicated.
>
Acked-by: John McNamara <john.mcnamara@intel.com>
30/07/2019 13:16, Mcnamara, John:
> From: Yigit, Ferruh
> > Sent: Monday, June 17, 2019 5:07 PM
> >
> > Clarify that a fixed date will be used for end of embargo (public
> > disclosure) date while communicating with downstream stakeholders.
> >
> > Initial document got a review that it gives an impression that
> > communicated embargo date can be a range like 'less than a week' which is
> > not the case. The range applies when defining the end of the embargo date
> > but a fix date will be communicated.
> >
>
> Acked-by: John McNamara <john.mcnamara@intel.com>
I don't know why these old patches were still pending.
Series applied, better late than never :)
@@ -182,7 +182,7 @@ When the fix is ready, the security advisory and patches are sent
to downstream stakeholders
(`security-prerelease@dpdk.org <mailto:security-prerelease@dpdk.org>`_),
specifying the date and time of the end of the embargo.
-The public disclosure should happen in **less than one week**.
+The communicated public disclosure date should be **less than one week**
Downstream stakeholders are expected not to deploy or disclose patches
until the embargo is passed, otherwise they will be removed from the list.