Process questions are very much off-topic for this bug report, but...
On 08/30/2018 09:43 AM, Bjoern wrote:
As I am clearly unfamiliar with your processes, I really would
appreciate the clarification to better my understanding and perhaps
quell my concerns:
* How far away is the 9.6 point release (given that 9.5 was released
just over 1.5 months ago)?
The aim is to have point releases roughly every couple of months. In
practice anywhere between 2 to 4 is common.
* Why could the issue not be dealt with by simply supplying the fix in
the nearer term as a security update? Would it not be better to err on
the side of caution?
Any change in stable comes with risk (e.g. of regressions), it comes
with a cost both to the security team and to all users who need to apply
the update. So the security team and/or package maintainers make a
risk/cost vs benefit analysis for any given issue and decide whether to
leave it unfixed or fix it through in a point release or fix it through
security.debian.org.
Cheers,
Julien