is this really how embargoed security holes are communicated to distros these days? http://oss-security.openwall.org/wiki/mailing-lists/distros

Lack of https support on a page with a gpg public key supposed to be used to encrypt security hole reports 😮

(And the WOT paths to the only person to have signed that key are not great either.)