[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#413926: wordpress: Should not ship with Etch

On Mon, Mar 12, 2007 at 01:30:14AM -0700, Steve Langasek wrote:
> However, on closer examination, the source data that Neil used here
> (svn://svn.debian.org/svn/secure-testing/data/CVE/list) covers *all*
> historical CVEs dating back to 1999.  This means that, while the history for
> phpbb2 and bugzilla includes CVE entries dating back to 2002, and the
> history for phpmyadmin stretches back to 2001, the earliest CVE for
> wordpress, a comparatively young piece of software, is CVE-2004-1559.

Dividing by years gives:

CVEs Earliest Years CVEs/Year

  43     2004     3      14.3  wordpress
  63     2002     5      12.6  phpbb2
  37     2004     3      12.3  moodle
  46     2002     5       9.2  bugzilla
  45     2001     6       7.5  phpmyadmin

> Viewed this way, wordpress definitely appears to have one of the /highest/
> rates of security holes for webapps of its class.

14 bugs per year versus 12 for moodle and phpbb2 doesn't seem that big
a difference to me.

I'm not sure that bug counts like this are really useful though -- they
don't measure the severity of the problems, and could be indicative of
popular code that's being regularly fixed as much as low quality code
that's being regularly broken.

> FWIW, I also took a look at some popcon numbers for these webapps, and
> here's what I found for number of reported installs:
>   phpmyadmin: 3504
>   wordpress: 245
>   phpbb2: 197
>   bugzilla: 148

Of those packages, wordpress was the only one not released with sarge, so I
don't think the numbers are readily comparable.

moodle was also released with sarge, and has a popcon count of 71, afaics.

We seem to have a statement of support from upstream, and an endorsement
from Neil that it's been supportable as far as testing-security was
concerned, as well as from Martin Zobel-Helas who's one of the stable
release managers, so I can't see the need to decline to release it.

I'd consider it the maintainer's and RMs' call though.

(We've removed packages from stable releases in the past, as well, so I
don't see why that option's been ruled out either. Equally, we've added
packages to stable releases in the past, so if Martin wanted to exercise
his prerogative as SRM and add it back in in r1, he could, afaics)


Attachment: signature.asc
Description: Digital signature

Reply to: