Hi, https://security-tracker.debian.org/tracker/CVE-2018-11235 (https://public-inbox.org/git/xmqqy3g2flb6....@gitster-ct.c.googlers.com/) reminded me that I don't fully understand the process for handling embargoed security issues in sid and testing.
When preparing updates for an embargoed issue in stable (https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security), the packager uploads to security-master and auto-builders are able to build for supported platforms before the embargo expires. Once the embargo expires, the package is released and available quickly for users to upgrade. After preparing updates for an embargoed issue in sid, the packager uploads to ftp-master once the embargo expires. There is an additional delay for auto-builders to build the package before the binary package is available, unless the packager prepares binary packages locally in advance and uploads them as well. Is that the recommended practice? With severity=high, a security fix then takes two more days before it hits testing. Is there a way to expedite it? My experience with https://bugs.debian.org/871823 was "no". Is my understanding correct? Any other points? Thanks, Jonathan
