> Hope it's ok I hijack this thread again about setting up cooldowns...

In addition to cooldowns it'd be nice if more package managers did triage between security fixes and normal releases (bug fix / performance improvement / new functionalities).

It's totally possible to say: "A security fix must only be a security fix and cannot ship any other feature".

Then, for a start, a security fix becomes easier to audit (both by security researchers and by the tools security researchers are using).

And then a cooldown can be used for the regular releases (e.g. non security-related bug fixes, perfs improvements, new functionalities, etc.) but no cooldown (or a much smaller countdown) for security fixes.

Something has to be said about a system like Debian where you can have an extremely stable server and you can configure unattended upgrades to only apply security fixes but nothing else.

Such new package releases are easier to audit by security researchers.