Bug#1134196: bouncycastle CVE-2026-5588 LTS contribution feedback

[James Montgomery]

Hi Sylvain,

On 22/04/2026, Sylvain Beucler wrote:
> Thanks for your interest in Debian LTS.
>
> These appear to be your first contributions to Debian. I would recommend
> starting with less sensitive and more accessible areas, such as Bug of the Day
> http://blends.debian.net/botd/botd.html and more generally the Debian New
> Member process https://nm.debian.org/ to e.g. get DM status.

Thanks for taking the time to respond, really appreciate the guidance. I
figured 'just start working' and someone will poke their head in and point
me in the right direction :)

> In particular, we try not to perform security uploads for single-CVE updates,
> and the update focuses more on thorough regression testing (including rdeps)
> than on backporting itself, making this kind of contribution less useful to
> the team.

That makes sense. I had a rough idea that LTS work required more than a clean
backport, but totally underestimated the emphasis on rdep regression coverage.
No more one-off debdiffs from me until I have that track record built up. I'll
focus on the NM process and working through Bug of the Day in the meantime.

One thing I'd like to check while I'm finding my footing: is contributing
supporting research to TODO entries in data/CVE/list still considered
worthwhile? My understanding is that adding NOTE: lines with upstream commit
references, CVSSv3 context, or "not-affected" rationale to existing TODO
stanzas helps whoever picks the CVE up next and can avoid duplicate research —
all without requiring any upload privileges. Is that a contribution the team
finds useful, or would you rather the tracker triage be left to established
contributors as well?

Thanks again for your time.

Best,
James