https://lists.debian.org/debian-security-announce/2008/msg00...
> he got ACKs from the devs
You're totally right: https://news.ycombinator.com/item?id=6343782
> Every distro package ecosystem has the maintainers discuss patches with upstream.
I don't think that's entirely fair to say, it's certainly best practice.