doc: add request to hold off publicising sec releases

- We've often seen tweets go out early before announcement and other parts of the security release complete - Make an explicit ask that collaborators avoid doing this by gating on the tweet from the Node.js account - Releasers would still be free to tweet earlier as they know when the process is complete. Signed-off-by: Michael Dawson <[email protected]> PR-URL: #46702 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Robert Nagy <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Akhil Marsonya <[email protected]> Reviewed-By: Gireesh Punathil <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Darshan Sen <[email protected]>
nodejs · Apr 11, 2023 · 11885a7 · 11885a7
1 parent 966d0d8
commit 11885a7
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md
@@ -118,6 +118,7 @@ out a better way, forward the email you receive to
 `[email protected]` as a CC.
 
 * [ ] Create a new issue in [nodejs/tweet][]
+
   ```text
   Security release pre-alert:
 
@@ -130,6 +131,13 @@ out a better way, forward the email you receive to
   https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
   ```
 
+  We specifically ask that collaborators other than the releasers and security
+  steward working on the security release do not tweet or publicise the release
+  until the tweet from the Node.js twitter handle goes out. We have often
+  seen tweets sent out before the release and associated announcements are
+  complete which may confuse those waiting for the release and also takes
+  away from the work the releasers have put into shipping the releases.
+
 * [ ] Request releaser(s) to start integrating the PRs to be released.
 
 * [ ] Notify [docker-node][] of upcoming security release date: _**LINK**_