[winswitch] upcoming security notification mailing list for xpra projects

[Antoine Martin]

Hi,

To support the secure deployment of Xpra and aid downstream compliance 
with cybersecurity regulations (such as the Cyber Resilience Act, 
CIRCIA/CISA, etc.), we are setting up a restricted mailing list for 
advance notifications regarding security issues affecting any of the 
Xpra projects.

This includes the MS Windows and macOS builds, which bundle over a 
hundred third-party library dependencies. The SBOM (Software Bill of 
Materials) feature will help facilitate this effort.

At present, there are several known issues - some of which have not 
received adequate public attention. Some of these may still be assigned 
CVEs, and it is inevitable that new issues will be discovered over time.

Key points:
* the focus will be on currently supported versions (v5 and newer), 
though issues in older versions may also be reported.
* notifications will be sent within 48 hours of new discoveries, 
regardless of whether a mitigation is available.
* if applicable, a CVE will be requested around the same time.
* full disclosure of the issue will follow within 7 days.

If you would like to be added to this notification list, please send a 
request to: security at xpra.org.
This service is free and open to anyone, but please provide a brief 
justification for your inclusion. Ideally, the list will remain small to 
minimize the risk of leaks and abuse.

Cheers,
Antoine