Re: Yet another list statistics for debian-security

[Florian Weimer <fw@deneb.enyo.de>]

* Andreas Tille:

> Ups, the graph becomes quite sparse in the last years.  I can
> not really imagine that the reason should be that our software
> became more secure.  Is anybody out there who has an explanation
> which does not come to the conclusion that we immediately should
> try to strengthen this team?

Well, this is a general discussion list, not used for team
coordination.  As a result, if our documentation and tools improve,
and the quality of our security support, traffic on the list should
decrease, and not increase.  Therefore, I don't see a reason to worry,
at least not based on the numbers you presented.  (On top of that,
much of the 2008 list traffic is probably related to the broken random
number generated, but I haven't checked this.)

Regarding team load, it's true that there's quite a backlog in terms
of known issues (see, for instance,
<http://security-tracker.debian.net/tracker/status/release/stable>),
but due to communication overhead etc., we'd need to add a ridiculous
number of people to the team to make a dent in it--if all the work is
done inside the team.

As the security team, we generally try to react in a reasonable time
frame to patch submissions (that is, debdiffs for a proposed upload to
stable-security or testing-security, and a short test report).
However, for quite a few issues, there's little activity from package
maintainers.  If nobody in the security team uses the package on
production systems, and the package maintainer cannot provide input,
providing a security update is indeed difficult.