Include link to blog post in security-release email #38143
Comments
|
Don't think this is the right repo. There is nothing here that sends out any emails. If you're talking about general GitHub notifications, that's not something we have control over |
|
This is referring to the emails sent to the mailing list (https://groups.google.com/group/nodejs-sec) as per the security release process. I'll move this over to core because that's where the process doc lives. |
richardlau
added
the
meta
|
I've replied with a message to the group: https://groups.google.com/u/1/g/nodejs-sec/c/TXKhlMr55UA, and provided a like to the blog post as well.
I think we could do that or we could include a link to the blog post in addition to the copied information. |
|
@danbev Thanks for the correction email. Would have been better if you also included the correct link for v12. But it's fine, as the link to the blog is also included. I'm not sure if there's a template for these emails which we can update to always include a link to the blog. If the release/security team thinks it'd be good to include. |
|
I think reducing to a single source of truth makes sense to me. The messages to the nodejs-sec mailing list could then just include the link to the blog post, and possibly the "Contact and future updates" section. One thing I failed to notice earlier (my bad for not catching in review is that the lastest updates to the blog post did not keep the initial announce at the bottom. An example were we did that is: https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/. I think if we do that for future ones, then having a reference in the email versus duplicated content will provide the same info, as well as making it easier for the security release steward. @danbev does that make sense to you? |
|
Yeah, that makes sense to just have a link to the blog post and also save the pre-announcement in the real announcement 👍 |
This commit adds a suggestion for a template to be used as part of the security release process. One step of this process is to create an email to nodejs-sec group and currently would contain a copy and pasted version of what is published on nodejs.org. This suggestion is to instead use a link to the blog post. Refs: nodejs#38143
This commit adds a suggestion for a template to be used as part of the security release process. One step of this process is to create an email to nodejs-sec group and currently would contain a copy and pasted version of what is published on nodejs.org. This suggestion is to instead use a link to the blog post. Refs: nodejs#38143
This commit adds a suggestion for a template to be used as part of the security release process. One step of this process is to create an email to nodejs-sec group and currently would contain a copy and pasted version of what is published on nodejs.org. This suggestion is to instead use a link to the blog post. PR-URL: #38290 Refs: #38143 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
This commit adds a suggestion for a template to be used as part of the security release process. One step of this process is to create an email to nodejs-sec group and currently would contain a copy and pasted version of what is published on nodejs.org. This suggestion is to instead use a link to the blog post. PR-URL: #38290 Refs: #38143 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
This commit adds a suggestion for a template to be used as part of the security release process. One step of this process is to create an email to nodejs-sec group and currently would contain a copy and pasted version of what is published on nodejs.org. This suggestion is to instead use a link to the blog post. PR-URL: #38290 Refs: #38143 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
This commit adds a suggestion for a template to be used as part of the security release process. One step of this process is to create an email to nodejs-sec group and currently would contain a copy and pasted version of what is published on nodejs.org. This suggestion is to instead use a link to the blog post. PR-URL: #38290 Refs: #38143 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
This commit adds a suggestion for a template to be used as part of the security release process. One step of this process is to create an email to nodejs-sec group and currently would contain a copy and pasted version of what is published on nodejs.org. This suggestion is to instead use a link to the blog post. PR-URL: #38290 Refs: #38143 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
|
The email template in the security release process guide was updated in #38290 and recent emails, e.g. https://groups.google.com/g/nodejs-sec/c/xIj1bpCtY3I, contain links to the relevant blog post. |
The recent security release email for 6-Apr-2021 had two broken links for the versions.
Broken:
Correct:
Link for v15.14.0 was fixed by @Trott later here: nodejs/nodejs.org#3794
For v12.22.1, seems it was a typo in the email. The blog post had the correct link.
Suggestion:
There was no link to the actual blog post (https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/) in the email. So, there was no way to navigate to the updated version from the email.
Would it be better if we don't include links to the individual versions in the email, rather include link to the blog post. In that case, the blog post can be fixed and stays up to date.
cc @nodejs/security-release
The text was updated successfully, but these errors were encountered: