[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: BoF: Supporting 15,000 packages - How much support do we mean?

On Tue, May 29, 2007 at 07:46:34PM -0700, Steve Langasek wrote:
> What evidence do you have that serious security bugs "won't get fixed" in a
> stable release because of MIA developers?  AFAIK, the burden of providing
> security updates largely falls on the shoulders of the security team, even
> in many cases where the maintainers are not MIA.
AFAIK, most security bugs are never reported to MITRE or Secunia or the
like.  For most "smaller" projects, I would guess that that majority of
security bugs are fixed in the normal course of development without any
sort of special advisories, except perhaps in the changelog published by
upstream.  I think that it is entirely conceivable that there are many
latent security bugs in Debian resulting from just such situations,
where the maintainer is MIA and nobody is keeping tabs on upstream
development.  Of course, since the security team can't possibly monitor
upstream development for every package (even just those which don't have
active maintainers), we can't really know.



Roberto C. Sánchez

Attachment: signature.asc
Description: Digital signature

Reply to: