1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
On 01/02/13 08:56 AM, Wulf C. Krueger wrote: |
5 |
> On 01.02.2013 14:47, Rich Freeman wrote: |
6 |
>>> And how will you get to know about current or future security |
7 |
>>> issues if nobody (in Gentoo) cares about the package? |
8 |
>> The same way that you know about security issues in Firefox or |
9 |
>> Chromium [...] Until somebody tells upstream about them you're |
10 |
>> going to be vulnerable. |
11 |
> |
12 |
> Indeed. In contrast to many of the packages that were mentioned in |
13 |
> this thread, Firefox and Chromium have an active upstream, though. |
14 |
> |
15 |
> What do you think will happen to projects with a dead upstream? I |
16 |
> think the answer is pretty simple: Nothing. |
17 |
|
18 |
Not really, no. A dead upstream means that there isn't an upstream to |
19 |
push a fix or release a new version. That's all. |
20 |
|
21 |
If security bugs occur then there's two options -- fix, or remove. So |
22 |
if the gentoo dev in question doesn't have time/ability/desire to fix, |
23 |
they or security remove it at that point. |
24 |
|
25 |
This isn't "nothing" to me; I must be missing something from your |
26 |
response? |
27 |
-----BEGIN PGP SIGNATURE----- |
28 |
Version: GnuPG v2.0.19 (GNU/Linux) |
29 |
|
30 |
iF4EAREIAAYFAlELyo8ACgkQ2ugaI38ACPC1FAD/fxM93LFEKtl8t87qc6QSIkTL |
31 |
HkQtk2t4xFQxoBAZNIUBALrMJxstxw4pBwOytiQfJq9CLxf3dOnUIQCdRDwIxA6Y |
32 |
=j28W |
33 |
-----END PGP SIGNATURE----- |