From 7cb09f40a69846fd5283626a095eb1b995d529fc Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Fri, 17 Feb 2023 13:15:00 -0500 Subject: [PATCH] doc: add request to hold off publicising sec releases MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - We've often seen tweets go out early before announcement and other parts of the security release complete - Make an explicit ask that collaborators avoid doing this by gating on the tweet from the Node.js account - Releasers would still be free to tweet earlier as they know when the process is complete. Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/46702 Reviewed-By: Ruben Bridgewater Reviewed-By: Tobias Nießen Reviewed-By: Robert Nagy Reviewed-By: Matteo Collina Reviewed-By: Rafael Gonzaga Reviewed-By: Akhil Marsonya Reviewed-By: Gireesh Punathil Reviewed-By: Antoine du Hamel Reviewed-By: Chengzhong Wu Reviewed-By: Luigi Pinca Reviewed-By: Richard Lau Reviewed-By: James M Snell Reviewed-By: Trivikram Kamat Reviewed-By: Darshan Sen --- doc/contributing/security-release-process.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md index 5a161a0f060b1c..25f61c2ac1d4c7 100644 --- a/doc/contributing/security-release-process.md +++ b/doc/contributing/security-release-process.md @@ -118,6 +118,7 @@ out a better way, forward the email you receive to `oss-security@lists.openwall.com` as a CC. * [ ] Create a new issue in [nodejs/tweet][] + ```text Security release pre-alert: @@ -130,6 +131,13 @@ out a better way, forward the email you receive to https://nodejs.org/en/blog/vulnerability/month-year-security-releases/ ``` + We specifically ask that collaborators other than the releasers and security + steward working on the security release do not tweet or publicise the release + until the tweet from the Node.js twitter handle goes out. We have often + seen tweets sent out before the release and associated announcements are + complete which may confuse those waiting for the release and also takes + away from the work the releasers have put into shipping the releases. + * [ ] Request releaser(s) to start integrating the PRs to be released. * [ ] Notify [docker-node][] of upcoming security release date: _**LINK**_