[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#413926: wordpress: Should not ship with Etch

>>>>> "Anthony" == Anthony Towns <aj@azure.humbug.org.au> writes:

    Anthony> Dividing by years gives:

    Anthony> CVEs Earliest Years CVEs/Year

    Anthony>   43 2004 3 14.3 wordpress 63 2002 5 12.6 phpbb2 37 2004
    Anthony> 3 12.3 moodle 46 2002 5 9.2 bugzilla 45 2001 6 7.5
    Anthony> phpmyadmin

    >> Viewed this way, wordpress definitely appears to have one of
    >> the /highest/ rates of security holes for webapps of its class.

    Anthony> 14 bugs per year versus 12 for moodle and phpbb2 doesn't
    Anthony> seem that big a difference to me.

    Anthony> I'm not sure that bug counts like this are really useful
    Anthony> though -- they don't measure the severity of the
    Anthony> problems, and could be indicative of popular code that's
    Anthony> being regularly fixed as much as low quality code that's
    Anthony> being regularly broken.

While I'm not on the TC, I'd like to second the point here that
looking at bug counts here isn't really the right picture.

I work on MIt Kerberos for my day job.  We get a lot of complaints
that MIT Kerberos has a worse security track record than Heimdal
because we've had more security advisories.

However almost all these security advisories are from code inspection
and auditing not from exploits.  We could (but ethically will not)
just ignore these issues or try and slip them into future releases to try and improve our security track record.

However, without knowing whether similar auditing is going on against
other products, or knowning how many people are looking, number of
security incidents per time may not be a good description of how buggy
code is.


Reply to: