Remove nodejs-sec usage in favor of Node.js org RSS Feed

[RafaelGSS]

In our security release process, we have declared the need of:

(Not yet automatic - do this manually) Google Groups
Email: notify oss-security@lists.openwall.com

While we could somehow automate that, it would require an additional step from the release (which is getting the Google Group Token) and creating a script to send the message before and after the security release, and I'm wondering if that effort is worth it.

The Node.js Website team already maintains an RSS Feed for the vulnerability blog https://nodejs.org/en/feed/vulnerability.xml and having a centralized space to notify users when a security release arises or is planned is better in terms of maintainability.

Does someone object if we remove nodejs-sec from the official security release procedure?

cc: @nodejs/security @nodejs/tsc @nodejs/security-wg

[ljharb]

I haven’t used RSS since google reader died, and i definitely have always relied on the Google groups emails.

[RafaelGSS]

That's a personal preference though. The point here is to send the message, and we'll be sending the message (even via RSS). If folks prefer to use google groups emails, then they can write a script to do it.

[ljharb]

Sure, but for security announcements it's usually preferable to broadcast them as widely as possible, not as narrowly as possible. If a script has to be made, shouldn't it be made once to automate the google groups announcement, instead of making everyone who prefers email over RSS (which would be most, i would assume) write a separate script?

[mhdawson]

I think a good part of those interested depend on the mailing list. We've had people comment in the past when we missed sending out a notification. I don't think rss is a good replacement.

[RafaelGSS]

Closing this issue as we'll proceed with the google-group message automation as part of security release.