Re: php vulnerabilities
>> I think we would need a new distribution e.g. 'sec-stable' for testing
>> new security patches. So someone would be able to choose between
>> 'more stable but less secure'
>> 'less stable but more secure'.
> To me it sounds like 'testing', no ?
No, testing provides too new version of the dependencies. We neither
want to include this newer versions in a security release if we don't
have to, nor can we rebuild a package from testing on stable and
expect the result to work reliably.