From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 808B31387CA for ; Fri, 1 Feb 2013 14:45:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A681321C01A; Fri, 1 Feb 2013 14:45:09 +0000 (UTC) Received: from mail-ia0-f180.google.com (mail-ia0-f180.google.com [209.85.210.180]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A6128E059B for ; Fri, 1 Feb 2013 14:45:08 +0000 (UTC) Received: by mail-ia0-f180.google.com with SMTP id f27so5532983iae.11 for ; Fri, 01 Feb 2013 06:45:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=H14oyqRPPAaKXVKUkevxK/ndsAFReah2tj8BRLlWdzs=; b=t8r1NJF+tL0vWiRjkMZtJcXmZjadoFEQb7sZ+ZZn4UgCeYNnJJeSIaCNCHWOAWLwr/ 1DQfXaihXIB4E8YH8mKEmegbpXKoYrQIjWkgNHyvODTOuzR3tYnVZXTM5/5nPU5DeU7j 9yQ2anA7qjz1XFrEzo78WuAMelwcW6whOW2belb+VER87mfSQ4o3rJlNGSG3IylD89pi T4G1llT1mV+Hbme2k1a03H6uVoqqd39WWSyZq1A5Zp+STq83TdiyGAbxDnbFUygvhrmM f4WByBhQhZ93r50pZfHXRKL93CF+irFv6sxiMXa4KT0tOKPYn3ooGaAfgnvot0fCO4cE r4tA== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.43.65.145 with SMTP id xm17mr2903987icb.35.1359729907871; Fri, 01 Feb 2013 06:45:07 -0800 (PST) Sender: freemanrich@gmail.com Received: by 10.64.30.231 with HTTP; Fri, 1 Feb 2013 06:45:07 -0800 (PST) In-Reply-To: <510BCC61.4000504@mailstation.de> References: <510BA4ED.9030405@flameeyes.eu> <510BB012.4010507@gentoo.org> <510BB398.1090000@flameeyes.eu> <510BB6D2.8060906@gentoo.org> <510BBAC7.10302@flameeyes.eu> <510BC4D8.7050908@mailstation.de> <510BC979.9030505@mailstation.de> <510BCA8F.7050406@gentoo.org> <510BCC61.4000504@mailstation.de> Date: Fri, 1 Feb 2013 09:45:07 -0500 X-Google-Sender-Auth: 4LW4TbOuycbodCfoNlrnZjV97PI Message-ID: Subject: Re: [gentoo-dev] Re: Please stop useless removals From: Rich Freeman To: gentoo-dev Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: 719f9df9-953d-4dbd-a9a2-342d530516d5 X-Archives-Hash: 070dd669237ee2e90b1d43ea198bc82a On Fri, Feb 1, 2013 at 9:08 AM, Wulf C. Krueger wrote: > > In the "dead upstream" case it's unlikely anyone is checking the > package for security issues in the first place. So neither the Gentoo > security people will get notice via the usual sources nor will any > upstream be informed. That seems rather speculative. I'm sure that people look for vulnerabilities in unmaintained software - if they didn't then nobody would be able to exploit them in the first place (you have to find a vulnerability to exploit it). I imagine most vulnerabilities are found by people outside of projects in the first place. We don't know how many vulnerabilities there are in maintained packages, let alone unmaintained ones, so a comparison is a bit difficult. Popularity is probably a better indicator of whether something will have vulnerabilities reported than whether it has an upstream. The two are of course loosely connected. Rich