-In addition, the normal maintainer should <emphasis>always</emphasis> retain
-the entry in the changelog file documenting the non-maintainer upload -- and of
-course, also keep the changes. If you revert some of the changes, please
-reopen the relevant bug reports.
+If you upload a package to testing or stable, you sometimes need to "fork" the
+version number tree. This is the case for security uploads, for example. For
+this, a version of the form
+<literal>+deb<replaceable>XY</replaceable>u<replaceable>Z</replaceable></literal>
+should be used, where <replaceable>X</replaceable> and
+<replaceable>Y</replaceable> are the major and minor release numbers, and
+<replaceable>Z</replaceable> is a counter starting at <literal>1</literal>.
+When the release number is not yet known (often the case for
+<literal>testing</literal>, at the beginning of release cycles), the lowest
+release number higher than the last stable release number must be used. For
+example, while Lenny (Debian 5.0) is stable, a security NMU to stable for a
+package at version <literal>1.5-3</literal> would have version
+<literal>1.5-3+deb50u1</literal>, whereas a security NMU to Squeeze would get
+version <literal>1.5-3+deb60u1</literal>. After the release of Squeeze, security
+uploads to the <literal>testing</literal> distribution will be versioned
+<literal>+deb61uZ</literal>, until it is known whether that release will be
+Debian 6.1 or Debian 7.0 (if that becomes the case, uploads will be versioned
+as <literal>+deb70uZ</literal>).