Process questions are very much off-topic for this bug report, but... On 08/30/2018 09:43 AM, Bjoern wrote: > As I am clearly unfamiliar with your processes, I really would > appreciate the clarification to better my understanding and perhaps > quell my concerns: > > * How far away is the 9.6 point release (given that 9.5 was released > just over 1.5 months ago)? > The aim is to have point releases roughly every couple of months. In practice anywhere between 2 to 4 is common.
> * Why could the issue not be dealt with by simply supplying the fix in > the nearer term as a security update? Would it not be better to err on > the side of caution? > Any change in stable comes with risk (e.g. of regressions), it comes with a cost both to the security team and to all users who need to apply the update. So the security team and/or package maintainers make a risk/cost vs benefit analysis for any given issue and decide whether to leave it unfixed or fix it through in a point release or fix it through security.debian.org. Cheers, Julien
