Good point re offline. I’m still convinced that 1) we’ll need that info inside of XWiki to push admins to upgrade and 2) that it shouldn’t make the RM job harder (ie it needs to be automated).
Yes. And the reason for this is that we didn’t want to disclose more than that, not because it’s in the release notes.
I had proposed this in Indicate if there are security issues in the Release Notes and it was refused. Now maybe opinions have changed 
Are you saying that it’s not a read-only ML? If not, what would it be used for (knowing that we already have security@xwiki.org). Or do you mean a read only list but archived and visible?
Yeah, ideally we would put all the info in the RN (possibly in a special xpropery) which should be the master place containing all info about a release, and have some automated process to send the mail to the security-announcement ML.
Thx