Logically, the only reason I can see to increment the build for a
“security fix” is if an external dependency changed in ways that
required a trivial rebuild of the exact same source version (sdist).
Is this what you’re referring to? And in that case, can you
elaborate on why that (incrementing just the build number when
rebuilding the binary artifacts without fudging a “fake” new source
version to represent the rebuild action) leads to problems for
downstream consumers? Or are you saying the build number is getting
abused for other more disruptive alterations of the package?