| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 01/02/13 08:56 AM, Wulf C. Krueger wrote: |
| 5 |
> On 01.02.2013 14:47, Rich Freeman wrote: |
| 6 |
>>> And how will you get to know about current or future security |
| 7 |
>>> issues if nobody (in Gentoo) cares about the package? |
| 8 |
>> The same way that you know about security issues in Firefox or |
| 9 |
>> Chromium [...] Until somebody tells upstream about them you're |
| 10 |
>> going to be vulnerable. |
| 11 |
> |
| 12 |
> Indeed. In contrast to many of the packages that were mentioned in |
| 13 |
> this thread, Firefox and Chromium have an active upstream, though. |
| 14 |
> |
| 15 |
> What do you think will happen to projects with a dead upstream? I |
| 16 |
> think the answer is pretty simple: Nothing. |
| 17 |
|
| 18 |
Not really, no. A dead upstream means that there isn't an upstream to |
| 19 |
push a fix or release a new version. That's all. |
| 20 |
|
| 21 |
If security bugs occur then there's two options -- fix, or remove. So |
| 22 |
if the gentoo dev in question doesn't have time/ability/desire to fix, |
| 23 |
they or security remove it at that point. |
| 24 |
|
| 25 |
This isn't "nothing" to me; I must be missing something from your |
| 26 |
response? |
| 27 |
-----BEGIN PGP SIGNATURE----- |
| 28 |
Version: GnuPG v2.0.19 (GNU/Linux) |
| 29 |
|
| 30 |
iF4EAREIAAYFAlELyo8ACgkQ2ugaI38ACPC1FAD/fxM93LFEKtl8t87qc6QSIkTL |
| 31 |
HkQtk2t4xFQxoBAZNIUBALrMJxstxw4pBwOytiQfJq9CLxf3dOnUIQCdRDwIxA6Y |
| 32 |
=j28W |
| 33 |
-----END PGP SIGNATURE----- |
Archives