Re: Packages with a history of security issues and whose packaged version is not up to date
* Colin Watson <cjwatson@debian.org> [250214 18:13]:
> On Fri, Feb 14, 2025 at 03:28:35PM +0100, Marc Haber wrote:
> > Especially if the list just goes the (wrong) way of so many commercial
> > security tools and/or consultants who just compare version numbers and
> > flag our stable versions as vulnerable regardless whether we have
> > patched vulnerabilities or not.
>
> But it doesn't. Santiago's using the data from the security tracker to
> determine whether CVEs are open.
I understood Santiago looked at all packages that ever had a
security issue reported. The two of my packages in the list would
support this interpretation.
I don't see how this is a meaningful prioritization.
Chris
Reply to: