Sure, but without the advisory, most affected people would’ve felt less urgency to update to a just-released Nix version.
The only people who would’ve been “in the know” between Tweet and advisory are:
- those who instantly check the release notes of every Nix release (and it’s not even clear where to find them)
- those who follow DetSys on Twitter
It seems unfair that those who subscribe to security advisories on the Nix repo should be at a disadvantage here. And I’m sure it won’t inspire confidence in the professionalism of the team.
I think this is a pretty clear cut issue, @edolstra – don’t announce security fixes in the DetSys Twitter first!