Hello,
I notice that the quality of our packages can vary significantly. Some
get frequent security updates, while with others the author appears to
be confused just what an SQL injection attack is and how to prevent it.
Not going to name names here, because they have done a wonderful job in
developing the software, publishing it as open source, and getting it
into Debian. And they most likely are not-paid and doing this on their
own time. I think that possibly there are a number of packages and
different (possibly seriously time constrained) authors here.
Plus Debian doesn't seem to have any requirement that packages should be
vaguely secure before a new package in accepted (maybe this needs to
change?).
However, I was wondering if we should even try to support such software
that obviously has not been written to have any level of security? As
even if we patch one CVE - chances are there are many more security
waiting to be found. We are providing a disservice to our users by
pretending that all software is secure, when obviously it is not.
Yes, this could also result in a flame war with the author too. Which I
would rather avoid. Maybe though people who are keen enough, and have
time, to enter a flame war, are also keep enough to help fix the
problems.
But I am not sure that treating all software as equal, when it obviously
isn't, is a good thing for our users.
Yes, users can look up our security trackers, not sure how much this
helps though. A lot of these open security issues aren't necessarily
serious issues that warrant concern.
Any ideas, comments?