Re: BoF: Supporting 15,000 packages - How much support do we mean?
On Wed, May 30, 2007 at 03:15:59AM -0400, Roberto C. S?nchez wrote:
> On Tue, May 29, 2007 at 07:46:34PM -0700, Steve Langasek wrote:
> > What evidence do you have that serious security bugs "won't get fixed" in a
> > stable release because of MIA developers? AFAIK, the burden of providing
> > security updates largely falls on the shoulders of the security team, even
> > in many cases where the maintainers are not MIA.
> AFAIK, most security bugs are never reported to MITRE or Secunia or the
> like. For most "smaller" projects, I would guess that that majority of
> security bugs are fixed in the normal course of development without any
> sort of special advisories, except perhaps in the changelog published by
> upstream. I think that it is entirely conceivable that there are many
> latent security bugs in Debian resulting from just such situations,
> where the maintainer is MIA and nobody is keeping tabs on upstream
> development. Of course, since the security team can't possibly monitor
> upstream development for every package (even just those which don't have
> active maintainers), we can't really know.
you could estimate with sampling.