> The OpenSSH team would be well served by paying closer attention
> to various distribution patches to their code as well
Unfortunately tracking distribution patches is not very easy. There is no common interface
which has a list of patch files for a package.
Upstream authors must either look through the different bug report interfaces, or download the
package source and look for applied patches. Additionally there are lots of different patch
systems (eg. Debian has dpatch, quilt, dbs, simple-patchsys, or just no system at all ;).
So in most cases, I believe upstream authors trust distribution maintainers to do the right
thing and send a copy of patches to the author or the mailing list.