did they ever start backporting security patches? I know that was a major issue in the early days that really soured me on the competence of the project. you cannot take a rolling release distro, bless some package versions as “stable” and call it a day.