[esafak]

Security updates bypass the cooldown.

[doctorpangloss]

But what channel decides it is a security update? How do you know? Someone has to notify whom exactly? And what if the adversary says their supply chain attack commit is a security update?

All of this cooldown stuff is so mind bogglingly stupid...