Create a listserve for Sigstore clients and tooling to announce deprecations/comms

[asraa]

It would be nice to have a Sigstore client listserve that can help automate communications that need to be delivered to Sigstore clients, including:

• Deprecation notices
• Breaking changes or updates in services
• Security issues
• etc.

It would be nice to also have tooling around creating these emails via a GitHub issue. E.g. if we post a public PR/issue on sigstore/community regarding Sigstore services. Then with applying a certain label or comment, we can issue an email to the list-serve with the content. Or maybe that's too complicated, but it allows for documentation of the issue outside of a listserve if public.

[davelester]

+1! These are communications that can easily be lost in Slack today. How about dev-announce@?

I'd suggest that we use Groups.io to power this for sigstore.dev, similar to how OpenSSF lists work today. If that's a worthwhile path I'm happy to help find out how to make that happen. I think there may be a need for additional lists as well (perhaps best discussed in a separate GH issue).

[lukehinds]

I had been thinking the same, so +1 from me.

[asraa]

Yes, thanks! That would be great: even just starting with the creation of a groups.io listserve would be great.

I'll be happy to file issues on various clients that want access.

[lukehinds]

we do have google services enable on [email protected] , could that be leveraged at all?

[lukehinds]

A good example of why this is needed:

There have been a lot of messages like this in slack, and I am pretty sure this a non-backwards compatible change was made between cosign and how the tuf root is transported (please correct me if I am wrong).