>> The same people that maintain the packages in sid and stable: theI consider it part of my responsibility as a package maintainer to provide
>> maintainer(s) for each package. [...]
> That is not the case. At the moment most of this is done by the
> Debian security team. Of course some package maintainers do help.
security support for my packages for as long as Debian does. If I felt
like I couldn't do that, I would orphan the package or look at having it
removed from Debian. I don't think there's any way that one team can
scale to providing security support for the entire archive; it's hard for
them to even track the existence of issues for the entire archive.
My experience is that I can just barely manage to
convince upstreams to look over my backports of security patches to
packages in oldstable