From what I can find:

1. Andrew Bauer submitted the package for review[0]

2. It was pointed out that that he should also consult the Fedora Security Team since it's a crypto package

3. The URL in the documentation was dead so Andrew made a post[1] asking how to contact the security team and was told:

> The URL is wrong, it is: [...] That said, the list is inactive and the formal security team disbanded many years ago. You may want to check the Matrix room, which does have some activity: [...]

4. Andrew asked in the Matrix chat[2], received a recommendation, implemented that recommendation, and updated the review as such

The Fedora Engineering Steering Committee characterized Andrew's actions as "it appears they stopped reading as soon as someone who sounded authoritative gave them what they want", but as far as I can tell the "authorative" sounding reply was the only reply Andrew had gotten until after approval.

May be fair to say Andrew should have given it more than the ~16 hours to wait on the Matrix chat members to respond, but I feel majority of the issue is with the Fedora project making it a bit of a mess to navigate who needs to be contacted and give approval.

[0]: https://bugzilla.redhat.com/show_bug.cgi?id=2302646

[1]: https://lists.fedoraproject.org/archives/list/devel@lists.fe...

[2]: https://matrix.to/#/!rLwJHmTvzWCMjftFrS:matrix.org/$-furTazx...

I don't understand, what does the policy actually require and why?

And if is this is for export control, does it mean Fedora packages are normally gimped or backdoored when downloaded in other countries??