Interesting. I suppose it would be possible to publish QSBs on GitHub immediately but delay the announcements on the website, forum, mailing lists, and social media until the packages hit stable. That feels a bit weird, though, like hiding information from you for your own psychological comfort. On the other hand, I suppose it makes sense that announcements should be actionable for the majority of users who read them. But then again, most QSBs don’t require any special user action. Just “continue updating normally.” I’m also not sure how people would react to such a change. I can imagine the majority of the userbase hating that and preferring the current way we do it. I can also imagine the opposite.
Besides, even if we were to do this, it’s highly likely that some users would take it upon themselves to post their own unofficial announcements here in the forum whenever we quietly published a QSB on GitHub. That already happens now, even when we publish timely official announcements for things (recent example). So, you’d likely end up in a situation where you’re still forced to become aware of security updates before they’re in stable, except you’d probably receive a potentially less-informative, less-reliable unofficial announcement at first and have to wait longer for the official one.
If you don’t want to use security-testing updates (which is completely fine), why don’t you just continue updating normally and get the updates when they hit stable? Or, if you’d rather have the security updates as soon as they’re available, why don’t you just enable security-testing but not any other testing repos? If none of these options sound good, I think it’s because what you want is just fundamentally at odds with the nature of software development. There’s an inherent trade-off between stability and speed. Since testing takes time, you can either have faster updates that are less tested (less stable) or slower updates that are more tested (more stable).
The more I think about this, the more odd it seems to me. I would think that one should decide whether one wants to use only stable or some combination of testing repos, then one should update regularly from there, regardless of any announcements. One would then get the security updates whenever they’re available in one’s chosen repos. Why does it matter if the date of an announcement differs from the date on which the attendant patches are applied on one’s system? One already considered that when deciding which combination of stable and testing repos to use. The timing of the announcement doesn’t change the facts on the ground. The vulnerability is out there, and the fix is either applied on a system, or it is not. The user’s cognizance of the situation doesn’t affect this. Not wanting to hear about a vulnerability when a fix is available just because one has chosen not to apply the fix yet seems analogous to wanting to stick one’s head in the sand or close one’s eyes in order avoiding seeing something dangerous.