On Tue, May 29, 2007 at 07:46:34PM -0700, Steve Langasek wrote: > > What evidence do you have that serious security bugs "won't get fixed" in a > stable release because of MIA developers? AFAIK, the burden of providing > security updates largely falls on the shoulders of the security team, even > in many cases where the maintainers are not MIA. > AFAIK, most security bugs are never reported to MITRE or Secunia or the like. For most "smaller" projects, I would guess that that majority of security bugs are fixed in the normal course of development without any sort of special advisories, except perhaps in the changelog published by upstream. I think that it is entirely conceivable that there are many latent security bugs in Debian resulting from just such situations, where the maintainer is MIA and nobody is keeping tabs on upstream development. Of course, since the security team can't possibly monitor upstream development for every package (even just those which don't have active maintainers), we can't really know. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature