I see two deficiencies in the current policy:

1. It doesn't state a day of the week to release issues. I have a strong preference for Symfony to release on Tuesdays. That gives downstream projects enough time in the week to package and release their code before it gets to the weekend. This is especially an issue for folks in Asia-Pac.
2. It doesn't state a minimum amount of time to wait for coordination among the projects. I suggest 2 weeks as a minimum time unless an issue is actively being exploited.

I reviewed the ezPublish security releases from 2012:

• 6 dec 2012 - first thursday
• 13 sep 2012 - second thursday
• 8 july 2012 - first sunday
• 9 may 2012 - first wednesday
• 26 march - fourth monday

I don't know the details of those and whether there were active exploits in the wild, but there seems to be a preference for weekday releases.

@greggles The changes in this PR do mention the 2 week period ("When the issue is not known to be exploited in the wild, a period of two weeks seems like a reasonable amount of time.") as well the preference for Drupal to release on Wednesdays. I guess the next question for @fabpot is whether it could be stated that Symfony would try to target Tue for security releases (for the reasons mentioned by greggles).

On a related note, I think it would also help to start using this new collaboration model (once finalized) going forward before Drupal 8.0 is released, so we can validate it and get used to it. Drupal 8.0 is not going be released before the end of the year or beginning of 2014, so we have at least 6 months or so in front of us to start using this new model.

Right you are. I hadn't noticed that this issue was associated with a commit. That said, the language still feels overly non-committal.

Hi guys!

I've merged this in - since it's for the documentation, it's more of a description of the currently-accepted model rather than what it perhaps should be, which I'm sure will continue :).

Thanks!