[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#413926: wordpress: Should not ship with Etch

On Tue, Mar 13, 2007 at 01:46:45AM +1000, Anthony Towns wrote:
> Dividing by years gives:

> CVEs Earliest Years CVEs/Year

>   43     2004     3      14.3  wordpress
>   63     2002     5      12.6  phpbb2
>   37     2004     3      12.3  moodle
>   46     2002     5       9.2  bugzilla
>   45     2001     6       7.5  phpmyadmin

> > Viewed this way, wordpress definitely appears to have one of the /highest/
> > rates of security holes for webapps of its class.

> 14 bugs per year versus 12 for moodle and phpbb2 doesn't seem that big
> a difference to me.

Sure.  I'm not arguing that I would have made the same decision as the
security team in their place, I just think that there's insufficient
evidence to support overriding their decision.

> I'm not sure that bug counts like this are really useful though -- they
> don't measure the severity of the problems, and could be indicative of
> popular code that's being regularly fixed as much as low quality code
> that's being regularly broken.

Indeed, standing alone a bug count can equally suggest a thorough audit or a
terribly buggy piece of software.  As the folks doing the backports of
security fixes for wordpress, aren't the security team best positioned to
know which applies here?

> > FWIW, I also took a look at some popcon numbers for these webapps, and
> > here's what I found for number of reported installs:
> >   phpmyadmin: 3504
> >   wordpress: 245
> >   phpbb2: 197
> >   bugzilla: 148

> Of those packages, wordpress was the only one not released with sarge, so I
> don't think the numbers are readily comparable.

Fair enough.

> We seem to have a statement of support from upstream, and an endorsement
> from Neil that it's been supportable as far as testing-security was
> concerned, as well as from Martin Zobel-Helas who's one of the stable
> release managers, so I can't see the need to decline to release it.

I give a lot of weight to concerns expressed by the security team.  Granted,
they don't get to pick their bugs, and it would be unreasonable for the
security team to throw out, say, all packages that had ever had security
bugs, or to decline to support all packages of Priority optional or lower
due to lack of manpower; but I think the difference between "this package is
bound to have security issues because it's large and addresses a difficult
problem space", and "this package is bound to have security issues because
its very poorly designed or has atypically low standards for acceptance of
contributions" is relevant.  It's my impression that the security team's
objections to wordpress stem from a belief that it lies in the latter

> I'd consider it the maintainer's and RMs' call though.

Ok, does that mean you agree the TC should not override any decisions here?

Hmm -- if it's the RMs' call, I guess that means Andi and I both are
required to abstain from any vote on this (Constitution 6.3.2).  Is it still
ok for me to call for a vote? :)  (FWIW, as RM the decision I consider to
have made is "defer to the judgement of the security team", so I guess the
TC does have a choice on who to overrule...)

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to: