> > critical patches, and those should be pulled into 4.2-stable. > > Unfortunately, it isn't that easy. Some updates imply updates of > depending ports (e.g. poppler and evince), which may imply further > updates of dependencies. So you'll end up with -current -- more or > less, including more updates...
Mattias: Making that distinction the critical thinking responsibility of the system administrator. No vulnxml syntax exists for describing ranges of vulnerable versions compatible with every projects versioning and release engineering scheme, as they all differ. That should not stop us from doing the best we can with the existing limitations. ~BAS
