On Mon, Feb 19, 2018 at 10:21:18AM +0100, Michael Meskes wrote:
Maybe you answered your question yourself. How about we tie our
security support to upstream's? Instead of fixing and backporting
ourselves we promise our users that this section of the archive will
get upstream's latest fixes even if that means the version number
Because eventually a future version will come out that doesn't work with
the stable base, at which point we suddenly stop supporting the package.
That's much worse than just admitting up front that we can't support the
package for the next 4 years.