Hi, On Mon, 11 Mar 2019, Sylvain Beucler wrote: > I spent the day reproducing (unbreaking) the sqlalchemy exploit, > figuring out how to run the test suite, attempting a backport of the > upstream fix, plus some communication. > > I did about the same for the gnutls/nettle issue last week (only to > conclude with a no-dsa T_T). > > While I believe those were tricky (there's a reason why they were > sitting for weeks), this still costs time. > Does the above sounds a legitimate use of our sponsored time, or should > I call it quits earlier when a fix is not straightforward?
Yes, it does sound like a legitimate use of sponsored time. We need people who are willing to dig deeper and handle hard issues. It's fine to handle less CVE than your peers if you regularly pick hard/long-sitting issues. The question becomes relevant when the number of open issues starts to increase and when we have to make choices about which issues to handle now and which issues to postpone. But right now I think we are doing fine. Just make sure that your hours are not wasted, i.e. document your findings somewhere even if you decide to mark the issue no-dsa. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
