why pkgs with vulnerabilities on quarterly aren’t updated

[rplace]

On Sun, Nov 26, 2017 at 12:48:41AM +0000, Ben Woods wrote:
> Quartlery branches are definitely supposed to receive security updates.
> Sometime people forget, and if this is the case you absolutely should
> remind them. Ideally this would just be the minimal update to address the
> vulnerability, without bringing new features. However, patches do not
> always exist, and sometime this is not easy.
> 
> Where security issues have been addressed in the head branch, but not the
> quarterly branch, I recommend:
> - checking if the commit to head had a MFH request (merge from head)...
> perhaps the committer is just waiting for the approval to merge the commit
> to quarterly.
> - if there was a bug report, check if it has been closed or if it is still
> open awaiting the MFH (there is a flag in bugzilla that can be set to show
> this is the status).
> - if a number of days (closer to a week) has passed since it was addressed
> in head and it still hasn’t been addressed in quarterly, or there was no
> MFH commentary to suggest it would be addressed in quarterly, then I
> suggest either commenting on the bug report that was related to the commit
> to state the MFH has been forgotten (reopen the bug), or raise a new bug
> report, ensuring that the person who made the commit to head gets
> automatically assigned as the assignee after raising or add them to the CC
> list manually.

Thanks. The maintainer for firefox-esr said that the MFH was denied by
the relevant authority, ports-secteam or something like that.
I presume it wanted new versions of libraries or something.

It became clear to me that quarterly is all right for a professional
system running some services, but that latest becomes necessary for a
personal machine.