[arch-general] [Announcement] Discussion about restricting arch-security for public participation

[Drew DeVault]

> the policy of the arch-security mailinglist is currently changed to a
> restricted advisory announcements only list due to certain reason
> roughly explained on the arch-devops [0] and arch-dev-public [1] lists.

I noticed this change when I tried to reply to today's nginx advisory by
mentioning that nginx-mainline (in the AUR, but officially supported by
nginx and relevant to the nginx advisory) was also affected, and also
updated in the AUR. I don't think we should use arch-security for AUR
security advisories in general, but I felt like that email was pretty
on-topic for the mailing list under these circumstances.

Mailman lets you set a list to moderated, which requires each email to
be manually approved by a moderator. I think that using this feature
would be a good strategy so that moderators can use their best judgement
on a case-by-case basis. I can't imagine the workload being very high,
considering that prior to this change we were seeing, on average, <1
thread per month that was not a straightforward security advisory.

Considering the low volume of arch-security in the first place, I feel
like this is a solution looking for a problem anyway. I've never felt
that the signal:noise ratio on arch-security is a problem. The email
thread mentioned in Christian's email to arch-devops is very unusual, at
least for the time I've been subscribed to arch-security for. If that
sort of content shouldn't appear on the list, then a better solution
would be to enable mailman's moderation than to blanketly ban all posts
to the ML.

Aside: we should strive to make sure that mailing lists are involved in
discussions that affect them _before_ decisions are made.

--
Drew DeVault