> If a security vulnerability is reported by someone who is also violating the CoC, what do you do? Do you ignore it? Fix it silently?
Is this even a question? You triage and fix the vulnerability just like any other one. Are truths spoken by folks one dislikes — even for perfectly valid reasons — any less true?
The only way I can imagine this somehow applying is if someone has a habit of reporting vulnerabilities which do not exist, or of exaggerating their severity. Is crying wolf a CoC violation? If so, then I can imagine that particular sort of bad behaviour justifying some consideration before acting on a report.
Will xorg backport patches from Xlibre?
No, because xorg is a dead project that doesn't take any patches from anywhere and xlibre has shit code quality and is probably vibecoded now
really? From what I have seen so far most of the contributions to xlibre have been cleaning up stuff thats been obviously wrong in xorg, and using tools - including AI and more bog standard tooling to find issues, add safety checks, and a whole lot more. They're merging in a namespace extension which solves many of the purported 'security' issues in X11 today.
How badly are they violating the code of conduct? It wouldn't be the first time a security researcher got thrown into prison or jail, in this line of work.