| 1 |
On Fri, Feb 1, 2013 at 9:08 AM, Wulf C. Krueger <wk@×××××××××××.de> wrote: |
| 2 |
> |
| 3 |
> In the "dead upstream" case it's unlikely anyone is checking the |
| 4 |
> package for security issues in the first place. So neither the Gentoo |
| 5 |
> security people will get notice via the usual sources nor will any |
| 6 |
> upstream be informed. |
| 7 |
|
| 8 |
That seems rather speculative. I'm sure that people look for |
| 9 |
vulnerabilities in unmaintained software - if they didn't then nobody |
| 10 |
would be able to exploit them in the first place (you have to find a |
| 11 |
vulnerability to exploit it). I imagine most vulnerabilities are |
| 12 |
found by people outside of projects in the first place. |
| 13 |
|
| 14 |
We don't know how many vulnerabilities there are in maintained |
| 15 |
packages, let alone unmaintained ones, so a comparison is a bit |
| 16 |
difficult. |
| 17 |
|
| 18 |
Popularity is probably a better indicator of whether something will |
| 19 |
have vulnerabilities reported than whether it has an upstream. The |
| 20 |
two are of course loosely connected. |
| 21 |
|
| 22 |
Rich |
Archives