Spot on, Greg. We want all package maintainers to relate with the upstream providers, because that extends the work we do in Fedora to all Linux providers and consumers equally. Besides the fact that this is just good FOSS citizenship, it also contributes to fixing a huge meta-problem across the Linux landscape — that users can have vastly different experiences using different Linux distributions, beyond the paint jobs. When code works in one place and doesn’t in another, it’s too often due to maintainers either (a) not sharing fixes back with the FOSS ecosystem, or (b) carrying patches that upstream won’t take because they are deficient. Either case is ultimately a lose for both users and developers.
That having been said, the difference in the ramifications of a bad patch to something like a desktop applet that shows you a happy face, and something like glibc or the OpenSSL libraries, is a pretty fair gap. We should protect one — or at least be concerned about one — more than the other. I’m not sure it’s as simple as applying a formula, but it could be that there’s a core of system libraries in which any non-upstreamed patches are going to be subjected to much more rigorous review before they’re used.
And in all cases, we should prefer, by a wide margin, getting those patches upstreamed. Our experience in Fedora over the years shows that carrying these patches only as temporary backports works well, not just in maintaining a strong relationship with upstream providers, but also in gauging the health of the upstream community.