On Fri, Feb 1, 2013 at 9:08 AM, Wulf C. Krueger <w...@mailstation.de> wrote: > > In the "dead upstream" case it's unlikely anyone is checking the > package for security issues in the first place. So neither the Gentoo > security people will get notice via the usual sources nor will any > upstream be informed.
That seems rather speculative. I'm sure that people look for vulnerabilities in unmaintained software - if they didn't then nobody would be able to exploit them in the first place (you have to find a vulnerability to exploit it). I imagine most vulnerabilities are found by people outside of projects in the first place. We don't know how many vulnerabilities there are in maintained packages, let alone unmaintained ones, so a comparison is a bit difficult. Popularity is probably a better indicator of whether something will have vulnerabilities reported than whether it has an upstream. The two are of course loosely connected. Rich