On 01.12.2017 16:34, Scott Kitterman wrote: > Testing doesn't have security support (and since neither the security team > nor maintainers can upload to it, it's the most problematic choice from a > security support perspective). I don't think that's suitable to recommend to > end users of any sort.
I mean that's not really true. Both can upload to it, it just needs to be accepted manually. They generally don't do it, though. So whenever a DSA is published you don't necessarily get an update right away. Many advisories don't talk about unstable either and the maintainer might not even be aware of the security issue[0]. It feels like at some point this needs to be addressed in some way by the project, though. (I know. We're all volunteers and all. But at the same time we try to assemble something useful in the form of testing and by some extension also unstable.) Kind regards Philipp Kern [0] I hope that's actually wrong but I wouldn't be surprised if the maintainer is not contacted in the most severe instances.