the policy of the arch-security mailinglist is currently changed to a restricted advisory announcements only list due to certain reason roughly explained on the arch-devops [0] and arch-dev-public [1] lists.
I noticed this change when I tried to reply to today's nginx advisory by mentioning that nginx-mainline (in the AUR, but officially supported by nginx and relevant to the nginx advisory) was also affected, and also updated in the AUR. I don't think we should use arch-security for AUR security advisories in general, but I felt like that email was pretty on-topic for the mailing list under these circumstances. Mailman lets you set a list to moderated, which requires each email to be manually approved by a moderator. I think that using this feature would be a good strategy so that moderators can use their best judgement on a case-by-case basis. I can't imagine the workload being very high, considering that prior to this change we were seeing, on average, <1 thread per month that was not a straightforward security advisory. Considering the low volume of arch-security in the first place, I feel like this is a solution looking for a problem anyway. I've never felt that the signal:noise ratio on arch-security is a problem. The email thread mentioned in Christian's email to arch-devops is very unusual, at least for the time I've been subscribed to arch-security for. If that sort of content shouldn't appear on the list, then a better solution would be to enable mailman's moderation than to blanketly ban all posts to the ML. Aside: we should strive to make sure that mailing lists are involved in discussions that affect them _before_ decisions are made. -- Drew DeVault