Greetings, As I have understood on http://www.debian.org/security/faq.en.html#policy , every security bugfix packages goes into the debian-security channel but recently I saw an update to the proftpd package (on etch) in the debian/stable channel. I thought it was a bugfix but when I looked into the changelog http://packages.debian.org/changelogs/pool/main/g/glibc/glibc_2.3.6.ds1-13etch7/changelog I saw that this is not a bugfix but a security bugfix, closing CVE-2007-2165.
Why does this package was uploaded to the normal etch channel and not into the security one ? Every security package concerns must go into the security channel, no ? I rely on the package channel to know if this is a normal or a security bugfix in a plugin I'm currently developping (and soon releasing on sourceforce) for apt. Best regards, Frédéric PICA
