Hi,
[I lack the time to comment extensively, just some brief comments.
This will likely be last post in this buglog]
Steve Langasek wrote:
> On Tue, Mar 13, 2007 at 01:46:45AM +1000, Anthony Towns wrote:
> > Dividing by years gives:
>
> > CVEs Earliest Years CVEs/Year
>
> > 43 2004 3 14.3 wordpress
> > 63 2002 5 12.6 phpbb2
> > 37 2004 3 12.3 moodle
> > 46 2002 5 9.2 bugzilla
> > 45 2001 6 7.5 phpmyadmin
>
> > > Viewed this way, wordpress definitely appears to have one of the /highest/
> > > rates of security holes for webapps of its class.
>
> > 14 bugs per year versus 12 for moodle and phpbb2 doesn't seem that big
> > a difference to me.
>
> Sure. I'm not arguing that I would have made the same decision as the
> security team in their place, I just think that there's insufficient
> evidence to support overriding their decision.
A major difference is that all other packages are already present in stable and
removing them would be a regression for our users. Also, phpbb2 has
improved significantly in their production branch and the maintainer is
doing very well.
I'd also like to remind that moving wordpress to volatile doesn't make it
a second-class package! It just means that a package is not suitable for
36 month release cycles. Even the wordpress update Neil provided for testing
from the 2.0 maintenance release included several non-security fixes. It's
also extremely likely that Wordpress will require new countermeasures for blog
comment spam etc. If Neil updates wordpress in volatile, it can be maintained
with the wordpress 2.0 branch as far as possible and if that fails it can
be updated to a new upstream version. I'm willing to provide security
information
about new vulnerabilites like for any other package in the archive and assist
as far as my time permits.
Kai, I'm very irritated about your behaviour. Quotes like
>19:57 < hendry> the arguments by vorlon and jmm_ are pitiful
or calling Thijs' arguments FUD are not acceptable in a technical
discussion. Having been your AM I would have expected better.
To the core of the problem: Several web applications have similar problems
and security support for them will need to be re-evaluated for Lenny. I'm
willing to discuss such criteria at DebConf with interested parties.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
