Nice post!

It's great that Greg took the time to re-explain this, as there seems to always be some interest expressed by lots of people about that process which, by the nature of discrete exchanges, can easily lead to incorrect speculations.

I remember that about 8-10 years ago at Kernel Recipes, I don't remember what recent security activity there had been just before the conference, but during the first morning I got 3 questions from different people about that process and the team's role. People appeared quite confused in fact. I talked to Greg about this during lunch and in the afternoon we took 10mn to improvise a talk on the topic, explaining how the team works (Greg is amazingly at ease to speak about any topic without even preparing anything). It was very much appreciated, led to some questions/responses sessions, and I got some thanks after that for initiating this.

I think that people just don't dare asking, but their interrogations are legitimate. The kernel's security is only something if it's correctly handled by everyone in the chain, and it's natural that end users constantly wonder if they might be missing anything or doing anything wrong.

By the way I'm always impressed by how seriously subsystem maintainers handle issues that we forward to them. We could expect that sometimes they would get bored or annoyed by the low importance of certain reports, but that's never the case, every single time they quickly respond and take the issue very seriously, with topmost priority. Some maintainers who get their first report are even extra careful, trying to make sure not to make any mistake nor disclose anything too early by accident.

Overall it works so well that I roughly copied the process for haproxy :-) No need to reinvent something that is already proven!