I've noticed that more and more security advisories are reported by module maintainers. In the past, if I noticed a security problem, I would fix it and commit the change without saying anything. It was sort of embarrassing to me to have an SA filed. However, that didn't mean that users would pick up the fixed version.
Are maintainers now flagging their own issues as a way to "force" people to update to the newest code? Nancy
