Re: Support for insecure applications

To: debian-lts@lists.debian.org, carles@pina.cat
Subject: Re: Support for insecure applications
From: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 12 Feb 2021 12:33:33 +0100
Message-id: <[🔎] 09d44472-e927-e67e-9a98-23387df92f16@beuc.net>
In-reply-to: <[🔎] 20210212001701.GA3101@pina.cat>
References: <[🔎] 877dne8duc.fsf@canidae.wired.pri> <[🔎] 20210212001701.GA3101@pina.cat>

Hi,

On 12/02/2021 01:17, Carles Pina i Estany wrote:

When I was discussing this with a friend I had thought if Debian could
make available and visible for the users some metrics, contextualised in
similar (per functionality) packages:

-popularity
-number of recent updates in upstream
-number of contributors
-usage of control version system
-test coverage
-continous integration
-upstream activity (issues, PRs, etc. with more the better GitHub or
similar places stars, forks, etc?)
-translations? (the more, more popualar the software is?)
-warnings from the compilers?
-static code analyser?
-documentation?
-CVEs?


Almost none of these relate to software _security_.

Let's keep in mind that active/popular software are often the ones withthe earlier Time-To-Market, at the expense of security (check thehistory of PHP or Docker for instance).

Also beware that "automated" ranking usually ends up pretty biased aswell, e.g. social media's "algorithms" (or SourceForge's front-pageprojects some years ago).


Cheers!
Sylvain

Reply to:

Follow-Ups:
- Re: Support for insecure applications
  - From: Carles Pina i Estany <carles@pina.cat>

References:
- Support for insecure applications
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: Support for insecure applications
  - From: Carles Pina i Estany <carles@pina.cat>

Prev by Date: Re: Support for insecure applications
Next by Date: Re: Support for insecure applications
Previous by thread: Re: Support for insecure applications
Next by thread: Re: Support for insecure applications
Index(es):
- Date
- Thread