* Laszlo Boszormenyi: >> Why can't we treat security support like a broken package, and remove >> it if it isn't fixed by its maintainers?
> Because you miss the point. You remove the package from the archive, > and not from the users' system. So the users would be still vulnerable, > and everyone would hate Debian. I'm not suggesting to carry out security support by removing broken packages (that's almost impossible after a release, as you correctly noted). I'm suggesting to drop security support as a whole, like a package with a release-critical bug is removed from the release if it isn be fixed by the maintainers (or someone else who has the necessarily knowledge and authorization to implement a fix). No security support means exactly what it says: doing nothing, not even removing affected packages.