Maybe a suggestion is to have a dedicated Security Team, similar to the Documentation Team, so the burden of security releases and tracking of issues doesnt keep falling with Rey.
Security falls within the mandate of the Stability Team. All releases within the Stability mandate fall under the heading of Stability Releases which are general bug fixes of issues in the Stable codebase or the heading of Security Releases which are made in deirect response to discovered Security vulnerabilities.
While the idea of a dedicated Security Team is essentially sound, more teams means requires more manpower and more management overhead.
While it may seem ludicrous to propose that an Open Source project may have manpower issues, one must remember involvement in an OS project at any level requires a large degree of time and committment of individuals - something that comes from peoples free time. Also there is the matter whether people have the expertise and knowledge to be appropriate - especially in regard to deep knowledge of the Joomla! codebase. Lastly related to this issue of whether the individual(s) truly believe in the concept of Open Source.
To a certain extent the duties/requirements of General Bug Fixing and Security Fixing are essentially the same, so a dedicated Security team may be slightly redundent. Also we have a separate Quality & Testing Working Group who aids the work of the Stability & Development groups by testing the codebase.
The the security Team can have a "closed" forum to discuss unpublised security issues,
We already have private areas for such discussions and sometimes, security threats reported in these forums are moved to this private area.
a webpage that summerizes all published security issues and their suggested fixes.
As I have discussed previously, this is something that is on my personal todo list.
The Team needs to also understand that there are alot of modified joomla sites out there who cant simply upgrade, plus the risk of breaking 3rd party software in the course of upgrading.
While I understand and appreciate the problems, I outline my response to this here:http://forum.joomla.org/index.php/topic ... #msg373406
Also basically a separate Security only patch would basically represent a new trunk of the codebase that we would also need to cater for.
Also a site running a lesser version with all Security patches only, will not necessarily be as secure as the latest Full Release.
Saying this idea (security only patch) is something we will examine and consider to determine if it is workable within the resources that we have available. Please remember, that there is no abundance of sound and good ideas, unfrotunately we are faced with very scarce and limited resources that due to practical considerations reduce what we are able to achieve