[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Support for insecure applications


On Feb/12/2021, Sylvain Beucler wrote:
> Hi,
> On 12/02/2021 01:17, Carles Pina i Estany wrote:
> > When I was discussing this with a friend I had thought if Debian could
> > make available and visible for the users some metrics, contextualised in
> > similar (per functionality) packages:
> > 
> > -popularity
> > -number of recent updates in upstream
> > -number of contributors
> > -usage of control version system
> > -test coverage
> > -continous integration
> > -upstream activity (issues, PRs, etc. with more the better GitHub or
> > similar places stars, forks, etc?)
> > -translations? (the more, more popualar the software is?)
> > -warnings from the compilers?
> > -static code analyser?
> > -documentation?
> > -CVEs?
> Almost none of these relate to software _security_.

You are right, I was thinking on software quality hoping that security
would come along in the majority of cases.

> Let's keep in mind that active/popular software are often the ones
> with the earlier Time-To-Market, at the expense of security (check the
> history of PHP or Docker for instance).

Yep, in number of items in my list I realise that it seems more like a
popularity contest (it wasn't what I was thinking and Popularity Contest
might be enough for this).

I've read Paul Wise's email in this thread and I'll follow the links and
project. I was thinking thinking on something along that lines but to
give information to the final users. I'm interested in the checks that
are already included there and see if they match the checks that I do
when choosing software.

We all decide to use A over B (e.g. to use pwgen password generator
instead of one of the other at least 5 similar ones in Debian; or to use
geeqie file image viewer instead of another one...) and having more
information when choosing software might help taking better informed
decisions. Perhaps it's not even about software quality but more

Since probably my thoughts about metrics to help deciding packages might
be off-topic here I'll move my thoughts to a better venue.

Cheers, thanks for answering!

Carles Pina i Estany

Reply to: