Comment 14 for bug 1899193

We certainly want a CVE for moving the root check earlier I suppose, if that's doable with the API - I've not looked at how that all interacts in practice.

I think we need one CVE for each of these things? The code was not meant for untrusted input, but archive tools like launchpad use it for such (albeit in one process per PPA or so, so you can like only DoS a PPA you have write access to).