Re: Known vulnerabilities left open in Debian?

[Jamie Heilman <jamie@audible.transient.net>]

Matt Zimmerman wrote:
> 
> If you have concrete information about unfixed bugs, bring it forth.
> Otherwise this is just more FUD.
> 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196590

Now.  To be fair, these bugs probably aren't the end of the world as
long as you understand what all of them are and how to protect
yourself, and I don't expect a great number of people are even using
the Debian Zope packages.  But as more time goes on these bugs are
getting harder and harder to keep on top of because there are so many
of them and they go so deep that backporting to this version of Zope
becomes incredibly non-trivial.  Frankly I wish Zope would just be
dropped from stable, but I am glad Debian has the sensibilities to air
their security bugs openly and not hide them obscurity (like say...
the Zope project itself).  It gives people the ability to remain
informed, and thats ever so important.

Still there are times when the project tends to let known holes
fester.  I find it tends to be worst around a new release.  Take for
example the mysql crash bug #131921 which was given up for a lost
cause.  Thankfully I've never seen this happen with a vulnerability
that can cause a system compromise in a popular package.

-- 
Jamie Heilman                     http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
 next to you may not be who they appear to be, so take precaution."
						-Sathington Willoughby