Many developers close security bugs which are tagged woody only, even though security support for oldstable has not been discontinued officially. How shall we bridge the apparent gap between documented policy and existing practice? Given our resources, I'd say fix the policy. Any objections?