|*||Timing of releases||Team|
Should we release both fixes together, or independently?
Now that the question has been posed to #Sys-Ops, how long do we wait for responses before making a decision/plan?
From the Security team's perspective it would be preferred to release both modules at the same time on Thursday.
Craig McNally will convey this to Oleksii P. and the two development teams involved once a decision has been made.
We agree with the approach of announcing the module releases to the sys-ops community prior to announcing the CSP in which these module releases will eventually be part of. The CSP release announcements are made to a broader swath of the community.
|*||Preparing notifications to send out when releases are available||Team|
The fix involves not only updating the module, but also additional operational changes. How do we want to communicate this w/o essentially describing the exploit?
|*||How to improve this process going forward||Team|
A google doc has been created and shared in our (private) slack channel. Please add notes/suggestions/concerns/idea/etc. there while this is all fresh in our minds. Once the dust settles we'll need to have a retrospective about this and see how the processes can be improved.
N.B. I don't think there's anything sensitive in that document but please keep it internal to the security team for now since it's a "live" document and someone could potentially add sensitive information by mistake/inadvertently.