Re: Security team's opinion
Martin Schulze wrote:
> > > > there are two issues where I would like to ask you to comment on:
> > > >
> > > > - mantis: We have two requests to allow it in. Is this ok from your
> > > > side? (No bug id, sorry - in case that not, could you please open an
> > > > RC bug on mantis?)
> > >
> > > Why should the Security Team oppose a migration of Mantis?
> > Because it has a _really_ poor security record (21 distinct vulnerabilities
> > in the last two years!), which were extremely hard to fix, as upstream
> > kept information hidden in inaccessible bugs and were thus unadressed for
> > a long time.
> Is the version of Mantis in stable kicked out during a dist-upgrade?
> If not, users will stay with the old version and will probably be more
> harmed compared to if they would upgrade to the newer version.
While this is true, this argument applies for every piece of software
removed between Sarge and Etch. (and we've removed other security-buggy
packages as well)
Aptitude's "Obsolete software" section is an excellent help to find packages