> In particular, it assumes that critical bugs are identified early in the
> process and released. Sounds like that is badly broken here.
That sounds ideal, but what sort of release process could reliably accomplish that goal with respect to security bugs? Tell people to have their security-related discussions during the first half of a new release, analogous to the kernel merge window?