1 |
On Fri, Feb 1, 2013 at 9:08 AM, Wulf C. Krueger <wk@×××××××××××.de> wrote: |
2 |
> |
3 |
> In the "dead upstream" case it's unlikely anyone is checking the |
4 |
> package for security issues in the first place. So neither the Gentoo |
5 |
> security people will get notice via the usual sources nor will any |
6 |
> upstream be informed. |
7 |
|
8 |
That seems rather speculative. I'm sure that people look for |
9 |
vulnerabilities in unmaintained software - if they didn't then nobody |
10 |
would be able to exploit them in the first place (you have to find a |
11 |
vulnerability to exploit it). I imagine most vulnerabilities are |
12 |
found by people outside of projects in the first place. |
13 |
|
14 |
We don't know how many vulnerabilities there are in maintained |
15 |
packages, let alone unmaintained ones, so a comparison is a bit |
16 |
difficult. |
17 |
|
18 |
Popularity is probably a better indicator of whether something will |
19 |
have vulnerabilities reported than whether it has an upstream. The |
20 |
two are of course loosely connected. |
21 |
|
22 |
Rich |