Hi, I spent the day reproducing (unbreaking) the sqlalchemy exploit, figuring out how to run the test suite, attempting a backport of the upstream fix, plus some communication.
I did about the same for the gnutls/nettle issue last week (only to conclude with a no-dsa T_T). While I believe those were tricky (there's a reason why they were sitting for weeks), this still costs time. Does the above sounds a legitimate use of our sponsored time, or should I call it quits earlier when a fix is not straightforward? Cheers! Sylvain
