The mailing list for security vulnerabilities is private, in order to keep zero days a secret before they are patched. This is the issue, not the mailing list. Moving away from mailing lists wouldn’t solve this because the vulnerabilities would still have to be private.
It would make it easier for people to find if a bug has already been reported, which is what Torvalds mentions as being a problem.
The mailing list for security vulnerabilities is private, in order to keep zero days a secret before they are patched. This is the issue, not the mailing list. Moving away from mailing lists wouldn’t solve this because the vulnerabilities would still have to be private.
@qaz That is right! Looks they need a bugtracker, ideally a bugtracker integrated with the mailing list.
Well, they already use Bugzilla. Although I personally do not find it particularly intuitive to use.