For a number of years we have aimed at providing stable releases about every four months, from respective branches. Reportedly downstreams are facing issues in particular when we issue security advisories with complex patch series and/or dependencies on stuff that has gone onto the branches, but hasn’t been released yet. The primary alternative option to discuss is whether to add a 2nd criteria for when to release: The earlier of 4 months or a (batch of) security advisory(ies). But of course other options are possible as well. An important aspect that need hashing out is how to make such releases useful to downstreams. An important concern here is the delay that cutting a release incurs, meaning there is a window in time between advisories going public and releases to be actually finished. This is conflicts with the desire / need for those downstreams to make available update packages at the time of security advisories going public.