Clearly indicate when a release fixes known security problems

[tribut]

Just read #4 and noticed that 8.2.2 apparently fixes a medium-rated security problem. So I went back to the changelog and the only indication of any security fix was Security improvements. To me this sounds more like general hardening than fixing a security-critical bug. The mail to announcements@owncloud.org did not mention security at all and only referenced the changelog.

We cannot expect our users to install any and all updates with the highest priority so I would think it is important to clearly state when a release is security-critical.

There also appears no way to easily keep up-to-date with security advisories. There seems to be no RSS feed and there is no mail to the announcements list when one is issued.

[MorrisJobke]

cc @LukasReschke for the security announcements
cc @karlitschek @cmonteroluque for the changelog and announcements

[ghost]

also copying @jospoortvliet as he manages the .org changelog summaries.

[LukasReschke]

The policy we agreed on some time before was the following:

1. If a release patches a security issue we indicate in the changelog and the announcements@owncloud.org mailing list that this is a release that contains low/medium/critical security patches and that details will be released 14 days after release.
2. After 14 days after release we release the advisories to the public.
   Enterprise customers receive the advisory already at the point of release, the patches are however available at the same time.

If somebody is interested in a RSS feed for owncloud.org/security/advisories I'm happy to accept a Pull Request at https://github.com/owncloud/owncloud.org.

So from my side we basically just need to have somebody asking me before the release whether this contains a security issue. This works quite well for the EE push notifications already :-)