[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Time allocation per CVE


I spent the day reproducing (unbreaking) the sqlalchemy exploit,
figuring out how to run the test suite, attempting a backport of the
upstream fix, plus some communication.

I did about the same for the gnutls/nettle issue last week (only to
conclude with a no-dsa T_T).

While I believe those were tricky (there's a reason why they were
sitting for weeks), this still costs time.
Does the above sounds a legitimate use of our sponsored time, or should
I call it quits earlier when a fix is not straightforward?


Reply to: