1 |
On Fri, 1 Feb 2013 09:45:07 -0500 |
2 |
Rich Freeman <rich0@g.o> wrote: |
3 |
|
4 |
|
5 |
> That seems rather speculative. I'm sure that people look for |
6 |
> vulnerabilities in unmaintained software - if they didn't then nobody |
7 |
> would be able to exploit them in the first place (you have to find a |
8 |
> vulnerability to exploit it). I imagine most vulnerabilities are |
9 |
> found by people outside of projects in the first place. |
10 |
> |
11 |
> We don't know how many vulnerabilities there are in maintained |
12 |
> packages, let alone unmaintained ones, so a comparison is a bit |
13 |
> difficult. |
14 |
|
15 |
Also, there are plenty of packages that can't really *have* interesting |
16 |
security vulnerabilities in the first place. I don't know the specifics |
17 |
of the games that were removed, but games in general, if they are |
18 |
purely single-player and only ever read and write files in the player's |
19 |
home directory, don't really have an attack surface to start with. You |
20 |
can't remotely exploit a program that never creates a socket, and you |
21 |
can't locally exploit a program that never tries to access files other |
22 |
than those in its invoker's home directory and root-writable |
23 |
directories like /usr/share, and does so with the invoker's usual |
24 |
privileges. Do you treeclean those because "they might have security |
25 |
holes"? |
26 |
|
27 |
Chris |