Rebooting the proposal since I happened to encounter again an old fixed security issue marked confidential.
So the proposal is now the following:
- to mark all fixed JIRA security issues as public (said otherwise to reset the confidential field) when they concerns versions with more than 3 months old and they do not link to a draft advisory (if we have a draft advisory it means they are already handled by our standard process)
- to not create CVEs for them: the rationale is that it’s lot of work and the users should already have upgraded the issue.
Note that we can ponderate it a bit and chose to only do that for issues fixed before previous LTS (so before 11.10.10): we might consider that we still have possibly lots of users on 11.10.10 that might get impacted if we disclose issues. If we decide that, we’ll probably need to do the proposed process again in one year for the remaining ones.
wdyt?