Re: Security team's opinion
Moritz Muehlenhoff wrote:
> On Tue, Dec 12, 2006 at 08:12:31PM +0100, Martin Schulze wrote:
> > Andreas Barth wrote:
> > > Hi,
> > >
> > > there are two issues where I would like to ask you to comment on:
> > >
> > > - mantis: We have two requests to allow it in. Is this ok from your
> > > side? (No bug id, sorry - in case that not, could you please open an
> > > RC bug on mantis?)
> >
> > Why should the Security Team oppose a migration of Mantis?
>
> Because it has a _really_ poor security record (21 distinct vulnerabilities
> in the last two years!), which were extremely hard to fix, as upstream
> kept information hidden in inaccessible bugs and were thus unadressed for
> a long time.
Is the version of Mantis in stable kicked out during a dist-upgrade?
If not, users will stay with the old version and will probably be more
harmed compared to if they would upgrade to the newer version.
> If mantis were anyhow important I would agree to still keep it, but given
> that it's a package with no significant user base (40 installed in popcon,
> probably less in production) it's just not worth the effort.
That may be an argument.
Regards,
Joey
--
No question is too silly to ask, but, of course, some are too silly
to answer. -- Perl book
Reply to: