@gregkh Yet as I was writing this I realize the alternative is also scary, if issues are reviewed internally (perhaps a larger group but still tightly controlled), then any commit not seen in the ML's are definitively security issues - that reduces the lead time (those commits could be merged shortly before cutting a release) yet reducing the time between merge and release also limits the ability for related issues to be reported.
2/2