Re: [PATCH v2] embargoed releases: also describe the git-security list and the process

[Junio C Hamano <gitster@pobox.com>]

Junio C Hamano <gitster@pobox.com> writes:

> -- Within a couple of days, someone from the core Git team responds with an
> -  initial assessment of the bug’s severity.
> +- Within a couple of days, someone from the core Git team, including
> +  the Git maintainer, responds with an initial assessment of the
> +  bug’s severity.

The "including" here looks even less clear.  Does somebody other
than me and I should respond?  That is not what I wanted to say.
Hence ...

> -- Other core developers - including the Git maintainer - chime in.
> +- Other core developers chime in.

... I wonder if it would be better to consolidate the above two into
one bullet point, e.g.

 - The security-list members start a discussion to give an initial
   assessment of the severity of potential vulnerability reported.
   We aspire to do so within a few days.

> -- The Git for Windows, Git for macOS, BSD, Debian, etc maintainers prepares the
> +- The Git for Windows, Git for macOS, BSD, Debian, etc. maintainers prepares the
>    corresponding release artifacts, based on the tags created that have been
>    prepared by the Git maintainer.

"prepares" -> "prepare".

>  - Less than a week before the release, a mail with the relevant information is
>    sent to <distros@vs.openwall.org> (see below), a list used to pre-announce
>    embargoed releases of open source projects to the stakeholders of all major
> -  Linux distributions. This includes a Git bundle of the tagged version(s), but
> -  no further specifics of the vulnerability.
> +  distributions of Linux as well as other OSes. This includes a Git bundle
> +  of the tagged version(s), but no further specifics of the vulnerability.

The bundle contains enough information to recreate these tagged
versions under embargo, hence the release notes for these releases
that discloses the vulnerability.  Perhaps drop "but no further..."?