Of course we looked at the Debian bug, the problem is that we only learned of it after they
made a public release. There are good mechanisms to avoid this sort of problem occurring
(nominated security contacts, vendor-sec, etc.) but none of them were used.
I'm not sure how any of this leads to us being "inward looking", which is frankly insulting
given how much time some of us spend ensuring OpenSSH continues to run on platforms we don't
use frequently or at all.