Hi, On Mon, Oct 27, 2025 at 09:40:35PM +0100, Sebastian Pipping wrote: > Hello Stuart, > > > On 10/27/25 20:45, Stuart Henderson wrote: > > On 2025/10/27 19:51, Sebastian Pipping wrote: > > > Also, fixes without a CVE will not be backported downstream. > > > > That depends on the downstream. > > I'm happy to learn which downstreams backport security issues > without a CVE, in practice. Do you have an example or two?
Another very recent example is https://lists.debian.org/debian-security-announce/2025/msg00200.html It is about: https://discuss.tryton.org/t/security-release-for-issue-14290/8895 https://foss.heptapod.net/tryton/tryton/-/issues/14290 While it would be nice that a identifier exists for this issue (has not yet happend), this was not blocking doing an update. Regards, Salvatore
