On Wed, May 30, 2007 at 03:15:59AM -0400, Roberto C. S?nchez wrote: > On Tue, May 29, 2007 at 07:46:34PM -0700, Steve Langasek wrote: > > > > What evidence do you have that serious security bugs "won't get fixed" in a > > stable release because of MIA developers? AFAIK, the burden of providing > > security updates largely falls on the shoulders of the security team, even > > in many cases where the maintainers are not MIA. > > > AFAIK, most security bugs are never reported to MITRE or Secunia or the > like. For most "smaller" projects, I would guess that that majority of > security bugs are fixed in the normal course of development without any > sort of special advisories, except perhaps in the changelog published by > upstream. I think that it is entirely conceivable that there are many > latent security bugs in Debian resulting from just such situations, > where the maintainer is MIA and nobody is keeping tabs on upstream > development. Of course, since the security team can't possibly monitor > upstream development for every package (even just those which don't have > active maintainers), we can't really know.
you could estimate with sampling. Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
