dmitshur
commented
3 years ago The internal package is golang.org/x/website/internal/history. See Release.Security.
Open hyangah opened 3 years ago
dmitshur
commented
3 years ago The internal package is golang.org/x/website/internal/history. See Release.Security.
dmitshur
commented
3 years ago The https://golang.org/design/draft-vulndb design draft may also be a relevant factor to consider here.
CC @golang/security, @golang/release.
Tools that watch golang.org/dl endpoint to learn about new releases may benefit from this extra information. Not every user is eager to update as soon as the new point release is available. But if the patch includes critical or important security patches, users should take it more seriously.
Would be better if extra information like severity (https://github.com/golang/go/issues/44918) can be included too.
According to @dmitshur: whether a release is a security one or not is available in an internal x/website package, but that isn't easily accessible externally.