Hello team,
Lately I've been helping new contributors on learning how to contribute by
preparing CVE fixes for our packages.
Fortunately I was able to find CVEs from packages I own myself, which made the
process a bit easier, but I would like to be able to pick other packages CVEs
to work on ("no-dsa" ones).
So the question is, does the release team consider it ok to push
proposed-updates without having to go through the package maintainer (given we
follow the regular process for p-u uploads)?
I would love it if that could be the case, as having to get the maintainer's
approval is too much overhead so that one might decide to spend their time
doing something else. I have an impression that this is allowed already but
wanted to confirm.
In case the release team says we have to reach out to the maintainer, would it
be possible to provide some rough guidelines? For example: "cc'ing the
maintainer on the release.d.o p-u bug report is all that's needed", or "open up
a bug against the package indicating your intention to do a p-u upload".
Would the answer be the same for any type of p-u upload? I assume a no-dsa CVE
fix and a regular bug fix would fall into the same bucket (that's why I've made
the email subject generic).
My end goal is to get new contributors interested in fixing CVEs and improve
the overall quality of our releases.
Cheers,
--
Samuel Henrique <samueloph>
