On Fri, Feb 02, 2018 at 01:48:52PM -0500, Michael Stone wrote:
> And we've all learned a lot more about secure coding in the past 20 years.
Who is "we all"?
I'd guess the majority of new packages in Debian were not written
by people who have learned anything about secure coding.
It is very rare that a removed package ever had a CVE.
On a more general note, my personal impression is that the quality
of the average package ITP'ed into Debian today is lower than the
quality of the average package that was added to Debian 20 years ago.
The typical minimum bar has shifted from "student who has already
studied a few years Computer Science" to "15yo with GitHub account".
Better not think of security (or any other kind of sw quality)
when looking at new software in some of our blends.
And then there are the > 1k Node.js packages that are part of Debian.
> Mike Stone
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed