[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security team's opinion



Martin Schulze wrote:
> > > > there are two issues where I would like to ask you to comment on:
> > > > 
> > > > - mantis: We have two requests to allow it in. Is this ok from your
> > > >   side? (No bug id, sorry - in case that not, could you please open an
> > > >   RC bug on mantis?)
> > > 
> > > Why should the Security Team oppose a migration of Mantis?
> > 
> > Because it has a _really_ poor security record (21 distinct vulnerabilities
> > in the last two years!), which were extremely hard to fix, as upstream
> > kept information hidden in inaccessible bugs and were thus unadressed for
> > a long time.
> 
> Is the version of Mantis in stable kicked out during a dist-upgrade?
> If not, users will stay with the old version and will probably be more
> harmed compared to if they would upgrade to the newer version.

While this is true, this argument applies for every piece of software
removed between Sarge and Etch. (and we've removed other security-buggy
packages as well)

Aptitude's "Obsolete software" section is an excellent help to find packages
like these.

Cheers,
        Moritz



Reply to: