Embargo handling through distributions

For glibc, we didn't want to bother with setting up the infrastructure for private security bugs, either. Most flaws do not need an embargo, and public discussion allows us to move towards a fix more quickly. For the rare exceptions, we found some distribution security teams to handle the embargoes for us (including distros list notification).

Things have since evolved a bit for glibc, but binutils still follows this model: https://sourceware.org/git/?p=binutils-gdb.git;a=blob_plain;...

If you can find two or more downstream distributions you trust, this looks like a reasonable compromise to me. It does not solve all the other maintenance problems, of course, but I suppose every little bit helps.