[mulmen]

RPM (YUM? DNF? RHEL?) lets me subscribe to security updates separately from updates. Does that concept exist in language distribution?

[8n4vidtmkvmk]

I don't know how it would. Hackers would just claim everything is a security update.

Unless maybe you give special permission to some trusted company to designate certain releases of packages they don't own are security patches... But that sounds untenable.

[cozzyd]

It would have to be handled by the repository owner(e.g. PyPI) similar to how quarantines are done.