This was my eighth month as a Freexian sponsored LTS contributor. I was assigned 8 hours for the month of December. It’s also the month in which I (re)learned an important lesson.
I decided to take another run at backporting the security fixes for Quassel. Unlike the first time, I was successful at getting the fixes backported. Then I ran into another problem: the changes took advantage of new features in c++11 such as std::function.
I made an attempt to change things away from c++11 with my limited c++ foo and after running head first into a brick wall several times finally consulted with the upstream author of the original fixes. He let me know that while the problematic code is in fact present in the quassel versions in squeeze and wheezy, it’s not actually possible to trigger the security issue and that the CVEs should not actually apply to those versions.
That’s my report of a singularly unproductive and unpleasant 8 hours. Next time I ask upstream first if there’s any doubt. I shouldn’t assume they only care about current/recent releases.