On Tue, 2007-05-29 at 19:46 -0700, Steve Langasek wrote:
> On Tue, May 29, 2007 at 11:51:38PM +0100, Ben Hutchings wrote:
> > There were some discussions on -private (and possibly here?) earlier in
> > the year about quality vs quantity of packages.
>
> > It should be clear to most developers that our many packages are not all
> > equal in quality; nor are all maintainers. Not everyone is aware that
> > packages in a stable release may have serious known bugs - even security
> > bugs - that won't get fixed because of overstretched or MIA developers,
> > or lack of upstream support.
>
> What evidence do you have that serious security bugs "won't get fixed" in a
> stable release because of MIA developers?
Search for "years" in
http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=tag&data=security&archive=no&version=&dist=stable&pend-exc=fixed&pend-exc=done&include=security
> AFAIK, the burden of providing
> security updates largely falls on the shoulders of the security team, even
> in many cases where the maintainers are not MIA.
Security bugs in less popular packages generally do not get fixed
quickly, if ever, by the security team or the "testing security" team.
This is understandable; they have their hands full with the more popular
packages (and other responsibilities).
Ben.
--
Ben Hutchings
Everything should be made as simple as possible, but not simpler.
- Albert Einstein
Attachment:
signature.asc
Description: This is a digitally signed message part