"Marcelo E. Magallon" <mmagallo@efis.ucr.ac.cr> writes: > He uploads the package to master with distribution set to stable, > and _also_ uploads it to security.debian.org If a maintainer can upload a package without approval to either proposed-updates or stable, then one is no better than the other. If uploads to security require approval, then the approval could have been done from proposed-updates to stable instead. Guy