Re: Support for insecure applications
On 12/02/2021 01:17, Carles Pina i Estany wrote:
When I was discussing this with a friend I had thought if Debian could
make available and visible for the users some metrics, contextualised in
similar (per functionality) packages:
-number of recent updates in upstream
-number of contributors
-usage of control version system
-upstream activity (issues, PRs, etc. with more the better GitHub or
similar places stars, forks, etc?)
-translations? (the more, more popualar the software is?)
-warnings from the compilers?
-static code analyser?
Almost none of these relate to software _security_.
Let's keep in mind that active/popular software are often the ones with
the earlier Time-To-Market, at the expense of security (check the
history of PHP or Docker for instance).
Also beware that "automated" ranking usually ends up pretty biased as
well, e.g. social media's "algorithms" (or SourceForge's front-page
projects some years ago).