Comment 34 for bug 2040137

@mkukri: Sorry. I meant, could you share an example of their current documentation? If you send specifics, I can review.

I like giving users the option to do something "unsafe". It might be safe or necessary in their user case, or they might have other reasons to justify their threat model. As long as safe defaults are used and the documentation clearly communicates risks I'm happy.

We could share patches 1 week before CRD on oss-security's distros list, and reach out to other vendors we know about then (distros has a 2 week max embargo period, but prefer 1 week). We can coordinate with Debian before then.