On Tue, Mar 13, 2007 at 01:46:45AM +1000, Anthony Towns wrote: > Dividing by years gives:
> CVEs Earliest Years CVEs/Year > 43 2004 3 14.3 wordpress > 63 2002 5 12.6 phpbb2 > 37 2004 3 12.3 moodle > 46 2002 5 9.2 bugzilla > 45 2001 6 7.5 phpmyadmin > > Viewed this way, wordpress definitely appears to have one of the /highest/ > > rates of security holes for webapps of its class. > 14 bugs per year versus 12 for moodle and phpbb2 doesn't seem that big > a difference to me. Sure. I'm not arguing that I would have made the same decision as the security team in their place, I just think that there's insufficient evidence to support overriding their decision. > I'm not sure that bug counts like this are really useful though -- they > don't measure the severity of the problems, and could be indicative of > popular code that's being regularly fixed as much as low quality code > that's being regularly broken. Indeed, standing alone a bug count can equally suggest a thorough audit or a terribly buggy piece of software. As the folks doing the backports of security fixes for wordpress, aren't the security team best positioned to know which applies here? > > FWIW, I also took a look at some popcon numbers for these webapps, and > > here's what I found for number of reported installs: > > phpmyadmin: 3504 > > wordpress: 245 > > phpbb2: 197 > > bugzilla: 148 > Of those packages, wordpress was the only one not released with sarge, so I > don't think the numbers are readily comparable. Fair enough. > We seem to have a statement of support from upstream, and an endorsement > from Neil that it's been supportable as far as testing-security was > concerned, as well as from Martin Zobel-Helas who's one of the stable > release managers, so I can't see the need to decline to release it. I give a lot of weight to concerns expressed by the security team. Granted, they don't get to pick their bugs, and it would be unreasonable for the security team to throw out, say, all packages that had ever had security bugs, or to decline to support all packages of Priority optional or lower due to lack of manpower; but I think the difference between "this package is bound to have security issues because it's large and addresses a difficult problem space", and "this package is bound to have security issues because its very poorly designed or has atypically low standards for acceptance of contributions" is relevant. It's my impression that the security team's objections to wordpress stem from a belief that it lies in the latter category. > I'd consider it the maintainer's and RMs' call though. Ok, does that mean you agree the TC should not override any decisions here? Hmm -- if it's the RMs' call, I guess that means Andi and I both are required to abstain from any vote on this (Constitution 6.3.2). Is it still ok for me to call for a vote? :) (FWIW, as RM the decision I consider to have made is "defer to the judgement of the security team", so I guess the TC does have a choice on who to overrule...) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
