No release notes / mentions of vulnerabilities

[eternalflamez]

Our cockpit instances were breached due to not running 0.11.2 yet.

There is no mention of any vulnerability or fix thereof except for in the commit messages (that only mention it being a "possible" vulnerability, implying it could also be safe). Is it possible to do some automatic release notes based on the git commit names that are part of the releases? Or at least put mentions of these breaches in the main readme.

For those interested, breach information: https://portswigger.net/daily-swig/cockpit-cms-flaws-exposed-web-servers-to-nosql-injection-exploits

[remluben]

Thank you for bringing this issue up. I used cockpit on a couple of projects and was missing some kind of changelog or release notes as well. Maybe someone, who is more into the project, could give us his opinion on this.

I personally think of something like https://keepachangelog.com/en/1.0.0/

What do you think?

[MarcoDaniels]

@remluben there’s an open PR with the start of the changelog #1398

[remluben]

@MarcoDaniels Thank you very much, I must have missed this one.