I'm looking after a server which has a customised package, based on a patch against an upstream debian package from a different version of debian to what the server actually runs. I want to make sure I can respond in a timely manner to any security issues that arise with the upstream package.
The upstream source is at: https://anonscm.debian.org/viewvc/pkg-mailman/trunk/ and svn://anonscm.debian.org/pkg-mailman/trunk .
Is there a way to monitor for security patches against that? How are new releases flagged as having a security impact? I get that a trunk branch may not equate to any release, but can I somehow monitor e.g. the 'testing' branch for security fixes?