Time allocation per CVE
I spent the day reproducing (unbreaking) the sqlalchemy exploit,
figuring out how to run the test suite, attempting a backport of the
upstream fix, plus some communication.
I did about the same for the gnutls/nettle issue last week (only to
conclude with a no-dsa T_T).
While I believe those were tricky (there's a reason why they were
sitting for weeks), this still costs time.
Does the above sounds a legitimate use of our sponsored time, or should
I call it quits earlier when a fix is not straightforward?