I only remove packages for security issues when new, updated ones have been made and uploaded.I don't think we should do that, unless we remove all packages for which there is an updated version, for any kind of bugfix. Basically if we are trying to deny code to someone because of a security concern, I think we're doing it wrong.
I don't understand. What does "trying to deny code" mean here? Are you saying that after sudo got updated from 1.9.16p2nb2 to 1.9.17p1, the sudo-1.9.16p2nb2 binary packages should be kept along with 2025Q2 packages?
And yes, I think we should remove all packages for which there is an updated version. When updates like php8{1,2,3,4}, is there a reason to keep the old ones?
I always thought that if a change is important enough to have a pullup, it's important enough to have the new version in the current quarter's collection.
John