Time allocation per CVE

To: debian-lts@lists.debian.org
Subject: Time allocation per CVE
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 11 Mar 2019 22:41:35 +0100
Message-id: <[🔎] 1ef5a0ee-17a2-1b3b-a25b-9647680312b2@beuc.net>

Hi,

I spent the day reproducing (unbreaking) the sqlalchemy exploit,
figuring out how to run the test suite, attempting a backport of the
upstream fix, plus some communication.

I did about the same for the gnutls/nettle issue last week (only to
conclude with a no-dsa T_T).

While I believe those were tricky (there's a reason why they were
sitting for weeks), this still costs time.
Does the above sounds a legitimate use of our sponsored time, or should
I call it quits earlier when a fix is not straightforward?

Cheers!
Sylvain

Reply to:

Follow-Ups:
- Re: Time allocation per CVE
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: sqlalchemy testsuite
Next by Date: Re: Serious regression in systemd 215-17+deb8u10
Previous by thread: sqlalchemy testsuite
Next by thread: Re: Time allocation per CVE
Index(es):
- Date
- Thread