On Mon, Feb 19, 2018 at 10:21:18AM +0100, Michael Meskes wrote:
Maybe you answered your question yourself. How about we tie our security support to upstream's? Instead of fixing and backporting ourselves we promise our users that this section of the archive will get upstream's latest fixes even if that means the version number changes.
Because eventually a future version will come out that doesn't work with the stable base, at which point we suddenly stop supporting the package. That's much worse than just admitting up front that we can't support the package for the next 4 years.
Mike Stone