On Mon, Mar 12, 2007 at 01:30:14AM -0700, Steve Langasek wrote: > However, on closer examination, the source data that Neil used here > (svn://svn.debian.org/svn/secure-testing/data/CVE/list) covers *all* > historical CVEs dating back to 1999. This means that, while the history for > phpbb2 and bugzilla includes CVE entries dating back to 2002, and the > history for phpmyadmin stretches back to 2001, the earliest CVE for > wordpress, a comparatively young piece of software, is CVE-2004-1559.
Dividing by years gives: CVEs Earliest Years CVEs/Year 43 2004 3 14.3 wordpress 63 2002 5 12.6 phpbb2 37 2004 3 12.3 moodle 46 2002 5 9.2 bugzilla 45 2001 6 7.5 phpmyadmin > Viewed this way, wordpress definitely appears to have one of the /highest/ > rates of security holes for webapps of its class. 14 bugs per year versus 12 for moodle and phpbb2 doesn't seem that big a difference to me. I'm not sure that bug counts like this are really useful though -- they don't measure the severity of the problems, and could be indicative of popular code that's being regularly fixed as much as low quality code that's being regularly broken. > FWIW, I also took a look at some popcon numbers for these webapps, and > here's what I found for number of reported installs: > phpmyadmin: 3504 > wordpress: 245 > phpbb2: 197 > bugzilla: 148 Of those packages, wordpress was the only one not released with sarge, so I don't think the numbers are readily comparable. moodle was also released with sarge, and has a popcon count of 71, afaics. We seem to have a statement of support from upstream, and an endorsement from Neil that it's been supportable as far as testing-security was concerned, as well as from Martin Zobel-Helas who's one of the stable release managers, so I can't see the need to decline to release it. I'd consider it the maintainer's and RMs' call though. (We've removed packages from stable releases in the past, as well, so I don't see why that option's been ruled out either. Equally, we've added packages to stable releases in the past, so if Martin wanted to exercise his prerogative as SRM and add it back in in r1, he could, afaics) Cheers, aj
signature.asc
Description: Digital signature
