Clarify security levels

This clarifies security label priorities.

@mydigitalself and @DouweM can you please review this thinking; I like it and am ready to merge, but it has upstream (product) and downstream (development) impact, so I want to have your view on it as well.

I still think there's a fair amount of ambiguity with SL2 and SL3 seems fairly far in the future with nothing in between.

Could we do

SL1 = Drop everything, do it now - this effectively drives a patch release SL2 = Next patch release - still fairly drop everything'ish, but attaches to the next patch release whenever that may be SL3 = Next version - even if that version is currently under development SL4 = Longer term, probably Next+1

@mydigitalself I think adding SL4 makes sense. @briann do you want to take a stab at it?

Also, I just labeled https://gitlab.com/gitlab-org/gitlab-ce/issues/27581 as SL2 because data loss can occur, but I think we should refine the examples so that data loss to a single user at a time is listed as impact 2, instead of 1. Can you add that example?

With those two edits this should be ready to merge.

assigned to @briann

added 1 commit

• e1f2002d - Add SL4 description to security labels

Compare with previous version

I've adjusted the label description to match suggestions from @mydigitalself above. I'm not 100% happy with the way I've written this up and I could use some reviews/comments.

assigned to @ernstvn

added 1 commit

• 46b677a6 - spacing fixes

Compare with previous version

added 1 commit

• 5f71aa3d - Slight re-org for clarity

Compare with previous version

Thanks @briann I think this works. @mydigitalself @DouweM please take note this is how we will assume the labels should work :-)

enabled an automatic merge when the pipeline for 5f71aa3d succeeds

merged

mentioned in commit 639824f4

I think that looks good @briann