From 7242478eb594225ee518e918cfb467bc1caf938f Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Fri, 17 Feb 2023 13:15:00 -0500 Subject: [PATCH] doc: add request to hold off publicising sec releases - We've often seen tweets go out early before announcement and other parts of the security release complete - Make an explicit ask that collaborators avoid doing this by gating on the tweet from the Node.js account - Releasers would still be free to tweet earlier as they know when the process is complete. Signed-off-by: Michael Dawson --- doc/contributing/security-release-process.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md index c2847da26665bf..d8d0192905d9e8 100644 --- a/doc/contributing/security-release-process.md +++ b/doc/contributing/security-release-process.md @@ -111,6 +111,7 @@ out a better way, forward the email you receive to `oss-security@lists.openwall.com` as a CC. * [ ] Create a new issue in [nodejs/tweet][] + ```text Security release pre-alert: @@ -123,6 +124,13 @@ out a better way, forward the email you receive to https://nodejs.org/en/blog/vulnerability/month-year-security-releases/ ``` + We specifically ask that collaborators other than the releasers and security + steward working on the security release do not tweet or publicise the release + until the tweet from the Node.js twitter handle goes out. We have often + seen tweets sent out before the release and associated announcements are + complete which may confuse those waiting for the release and also takes + away from the work the releasers have put into shipping the releases. + * [ ] Request releaser(s) to start integrating the PRs to be released. * [ ] Notify [docker-node][] of upcoming security release date: _**LINK**_