as part of the Security Policy vote I throw an idea about adding some more information in the release notes about security issues. It was just a wild idea, that I’ll try to formalize here as a proposal. Note that in this proposal I assume we agree on a grace period between the publication of the release notes and the publication of the confidential security issues. I don’t make assumption on how long is this grace period though: could be a week, 3 months or a year it doesn’t change this proposal.
I’m proposing to add 2 new sections in the releases notes, one entitled “Fixed Security Issues” and another one entitled “Known Security Issues”.
At the moment of the release, Fixed Security Issues would contain a standard message, such as:
XX security issues have been fixed as part of this release. Those fixed security issues will appear below whenever they get published.
where “XX” is the known (by the release master) number of issues marked as confidential and fixed in the release.
Below that message we would insert a JIRA macro with a query like this:
Project in ("XWiki Commons", "XWiki Rendering", "XWiki Platform") and fixVersion in ("11.10.11") and labels in ("security-public")
Then each time a security issues get published (by setting the confidential field), we would also set the dedicated label “security-public” so it would appear in the release notes.
Now in the section “Known Security Issues”, we would display in the contrary a JIRA macro or a JIRA link with the same kind of query but for affectVersion:
Project in ("XWiki Commons", "XWiki Rendering", "XWiki Platform") and affectVersion in ("11.10.11") and labels in ("security-public")
This would allow to be able to have a very quick idea of the security state of a specific release.