A big part of your job as Debian maintainer will be to stay in contact with the upstream developers. Debian users will sometimes report bugs that are not specific to Debian to our bug tracking system. You have to forward these bug reports to the upstream developers so that they can be fixed in a future upstream release.
While it's not your job to fix non-Debian specific bugs, you may freely do so if you're able. When you make such fixes, be sure to pass them on to the upstream maintainers as well. Debian users and developers will sometimes submit patches to fix upstream bugs — you should evaluate and forward these patches upstream.
If you need to modify the upstream sources in order to build a policy compliant package, then you should propose a nice fix to the upstream developers which can be included there, so that you won't have to modify the sources of the next upstream version. Whatever changes you need, always try not to fork from the upstream sources."
Eindeutiger geht es wohl nicht: "When you make such fixes, be sure to pass them on to the upstream maintainers as well." Die strikte Befolgung dieser Guidelines hätte wohl den Debian-Openssl-Bug schon zu Beginn verhindert.
http://www.debian.org/doc/developers-reference/
ch-developer-duties#s-upstream-coordination
"3.5 Coordination with upstream developers
A big part of your job as Debian maintainer will be to stay in contact with the upstream developers. Debian users will sometimes report bugs that are not specific to Debian to our bug tracking system. You have to forward these bug reports to the upstream developers so that they can be fixed in a future upstream release.
While it's not your job to fix non-Debian specific bugs, you may freely do so if you're able. When you make such fixes, be sure to pass them on to the upstream maintainers as well. Debian users and developers will sometimes submit patches to fix upstream bugs — you should evaluate and forward these patches upstream.
If you need to modify the upstream sources in order to build a policy compliant package, then you should propose a nice fix to the upstream developers which can be included there, so that you won't have to modify the sources of the next upstream version. Whatever changes you need, always try not to fork from the upstream sources."
Eindeutiger geht es wohl nicht:
"When you make such fixes, be sure to pass them on to the upstream maintainers as well."
Die strikte Befolgung dieser Guidelines hätte wohl den Debian-Openssl-Bug schon zu Beginn verhindert.