[raviksharma]

Adding to the other reply.

If the package is in Ubuntu Main repository (https://ubuntu.com/blog/ubuntu-updates-releases-and-reposito...), it is maintained by Canonical engineers for LTS. Ubuntu Universe gets security fixes for up to 10 years as part of the Ubuntu Pro offering, which is where most of the upstream Debian packages are.

A package from Ubuntu can be removed using the following process, Anyone can file a request. https://canonical-ubuntu-project.readthedocs-hosted.com/stag... (note: the url will move to documentation.ubuntu.com domain)

Debian also has https://qa.debian.org/popcon.php?package=openssl, but it does not mean that a package with very low popularity should be removed.