Re: Discovered 'simoultaneosly', or leaked?
I'd disagree. Using any standard diff tool, you'd be able to review each commit, see the before-and-after changes, line-by-line, and if you are a reasonably competent programmer, work out what they are for. I would expect that the mitigation for a privilege escalation flaw would be reasonably easy to recognise, even without explanatory comments (which any programmer worth their salt should be adding anyway); certainly a lot easier than spotting the flaw it is intending to fix. You'd also expect it to be fairly easy to spot things like fixes for buffer-overruns, as there's only so many ways you can write code to check the size of a payload before writing it to memory.
For these reasons, I'd agree with the OP and hope that such fixes go into a non-public branch that only gets merged into the public master branch at the point it gets released.
Biting the hand that feeds IT
