Hi *, I like that idea! I think security updates etc could need some more attention. I don't know anything about arch and pacman internals (I'm rather new to arch if that counts as a justification ;) ), so I don't know if that's doable or already discussed, etc, but: What I, as a user, would like to see as a final result of this connecting cve with updates thing is that new versions of packages can be marked as closing a security vulnerability. That allows for various cool things, such as - periodically running some command that updates the package lists and, if there is an update involving a security fix, notify the user - if you like, automatically update such packages if only the bugfix version number changes (and the package is not on a blacklist and ... whatever rule you define) In the moment, I update very often, because I think "maybe there's a security fix somewhere, better take care", and I never know if I should reboot (or at least restart some things). Once that has been implemented reliably, I could be a little more relaxed in this (e.g. not upgrade at all when I don't have much time for a week or two, unless there's such a notification) As I said, just a suggestion from an unknowing user point of view ;) regards, Marian