Hi all, I agree with Moritz that wordpress may pose a problem to debian. Ubuntu has "stolen" version 2.0.2-2 from Debian 10 months ago, and I suspect it is vulnerable to 21 CVEs [1]. I am open to see how they are going to support it for 5 years.
as long as upstream provides fixes in reasonable time, why should we drop such a popular package?
How about if upstream doesn't support the 2.1.x branch anymore? Firefox 1.0.x and Bugzilla 2.16.x are in sarge, but upstream ceased to provide security updates around 11 months ago [2] [3]. We still need to support them for 1 year after etch is released. So how can we deal with them? It is the security team who backports changes from newer versions to patch the old versions. So can popularity affect the decision? I think so. If a package is popular enough so that it makes sense for the security team to put extra effort, it is perhaps a good idea. Otherwise, "many people using an unpatched version" simply sounds worse! -- Regards, Alan [1] https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/89654 [2] http://www.mozilla.org/news.html#p404 "Mozilla Corporation is also strongly recommending that Firefox 1.0 users upgrade to this latest release of Firefox 1.5 in order to take advantage of significant security and stability improvements." [3] http://www.bugzilla.org/news/ "After Bugzilla 2.22 is released, there will be no more security updates from the Bugzilla Project for the 2.16 branch." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
