For now I'm going to go ahead with packaging 8.7p1 (cherry-picking the security fix from 8.8p1) to at least catch us up a bit, and I'll leave this bug open. -- Colin Watson (he/him) [cjwatson@debian.org]