Hi,
On Mon, 11 Mar 2019, Sylvain Beucler wrote:
> I spent the day reproducing (unbreaking) the sqlalchemy exploit,
> figuring out how to run the test suite, attempting a backport of the
> upstream fix, plus some communication.
>
> I did about the same for the gnutls/nettle issue last week (only to
> conclude with a no-dsa T_T).
>
> While I believe those were tricky (there's a reason why they were
> sitting for weeks), this still costs time.
> Does the above sounds a legitimate use of our sponsored time, or should
> I call it quits earlier when a fix is not straightforward?
Yes, it does sound like a legitimate use of sponsored time. We need people
who are willing to dig deeper and handle hard issues. It's fine to handle
less CVE than your peers if you regularly pick hard/long-sitting issues.
The question becomes relevant when the number of open issues starts
to increase and when we have to make choices about which issues to handle
now and which issues to postpone. But right now I think we are doing fine.
Just make sure that your hours are not wasted, i.e. document your findings
somewhere even if you decide to mark the issue no-dsa.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
