Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
doc: add request to hold off publicising sec releases
- We've often seen tweets go out early before announcement
  and other parts of the security release complete
- Make an explicit ask that collaborators avoid doing this
  by gating on the tweet from the Node.js account
- Releasers would still be free to tweet earlier as they know
  when the process is complete.

Signed-off-by: Michael Dawson <mdawson@devrus.com>
  • Loading branch information
mhdawson committed Feb 22, 2023
commit 7242478eb594225ee518e918cfb467bc1caf938f
8 changes: 8 additions & 0 deletions doc/contributing/security-release-process.md
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ out a better way, forward the email you receive to
`oss-security@lists.openwall.com` as a CC.

* [ ] Create a new issue in [nodejs/tweet][]

```text
Security release pre-alert:

Expand All @@ -123,6 +124,13 @@ out a better way, forward the email you receive to
https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
```

We specifically ask that collaborators other than the releasers and security
steward working on the security release do not tweet or publicise the release
until the tweet from the Node.js twitter handle goes out. We have often
seen tweets sent out before the release and associated announcements are
complete which may confuse those waiting for the release and also takes
away from the work the releasers have put into shipping the releases.

* [ ] Request releaser(s) to start integrating the PRs to be released.

* [ ] Notify [docker-node][] of upcoming security release date: _**LINK**_
Expand Down