On Thu, Oct 27, 2011 at 7:28 AM, Ian Jackson wrote:
> The difficulty is that if we end up with ten different versions of
> vulnerability we need to somehow backport the patch to each of those
> ten versions.
> And here "we" means the security team, not the people who uploaded the
> ten versions in the first place.
I would assume the security team would just file bugs and let the
maintainer deal with it, unless the issue is embargoed?
> So this is rather unpalatable.
Agreed with that part.