472 is something that we should have known about the moment it was announced. It's fine for now, but it'll matter a lot more when we're in production. We need to make sure we're subscribed to all of the relevant mailing lists -- in this case, dev@opencontainers.org would have been enough. (We don't qualify for being on their embargoed security list.)
[ ] Compile a list of all components we depend on
[ ] Compile mailing lists on which vulnerabilities are announced for the upstream projects
[ ] Get everyone on the team to subscribe to them
[ ] Determine a strategy to make sure we continue to get this information into the future, even as our dependencies and team members change
472 is something that we should have known about the moment it was announced. It's fine for now, but it'll matter a lot more when we're in production. We need to make sure we're subscribed to all of the relevant mailing lists -- in this case,
dev@opencontainers.orgwould have been enough. (We don't qualify for being on their embargoed security list.)