Hi, because of the WOT[*] incident, I wonder how Debian should handle malware packages in favour of our users.
The current scheme is to remove the offending package from stable and go along. With unattended-upgrades or other automatic upgrade schemes, such packages would remain on many systems and potentially harm users. I suggest to handle such cases differently by uploading a new, empty package (like transitional packages, but without new depends). What do you think? Cheers [*] https://bugs.debian.org/842939