Re: BoF: Supporting 15,000 packages - How much support do we mean?
On Wed, May 30, 2007 at 09:38:16PM +0100, Ben Hutchings wrote:
> On Tue, 2007-05-29 at 19:46 -0700, Steve Langasek wrote:
> > On Tue, May 29, 2007 at 11:51:38PM +0100, Ben Hutchings wrote:
> > > There were some discussions on -private (and possibly here?) earlier in
> > > the year about quality vs quantity of packages.
> > > It should be clear to most developers that our many packages are not all
> > > equal in quality; nor are all maintainers. Not everyone is aware that
> > > packages in a stable release may have serious known bugs - even security
> > > bugs - that won't get fixed because of overstretched or MIA developers,
> > > or lack of upstream support.
> > What evidence do you have that serious security bugs "won't get fixed" in a
> > stable release because of MIA developers?
> Search for "years" in
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=tag&data=security&archive=no&version=&dist=stable&pend-exc=fixed&pend-exc=done&include=security
If I search on
http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=tag;data=security;archive=no;dist=stable;pend-exc=fixed;pend-exc=done;include=security;severity=critical,grave,serious
(since the question was about "serious security bugs"), the only matches are
listed as "From other Branch", meaning that the versions listed as affected
in the BTS are not versions present in stable.
> > AFAIK, the burden of providing
> > security updates largely falls on the shoulders of the security team, even
> > in many cases where the maintainers are not MIA.
> Security bugs in less popular packages generally do not get fixed
> quickly, if ever, by the security team or the "testing security" team.
Example, please?
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply to: