On Mon, Feb 17, 2025 at 9:14 PM Santiago Ruano Rincón <santiag...@riseup.net> wrote:
> There are two numbers accompanying the source packages: the amount of > currently open security issues in sid, and the number of security issues > that have been present in Debian ever (as you mention). > I've been biting my tongue a bit here but there's an implicit third number (which no one is able to actually compute) here: number of actual security issues that need attention. CVEs are not perfect. CVE count is, charitably, a proxy for how much security attention / research it gets (hopefully that is, in turn, a proxy for how important a package is). Not so charitably, it's perhaps a proxy for how many people who want to build a reputation as an expert have spent time finding something that would pass minimal scrutiny as a security issue. There are plenty of security issues that are solved via normal bugfixes by people who never realize the security implications of their bugfixes. In important security sensitive places, too! Updating to the latest upstreams is a good idea for lots of reasons, but I don't totally understand the nexus to CVE here. Don't let me dissuade you from doing good work here, but I reckon CVE counting is likely going to lead to a lot of very weird non-security related biases which you may or may not actually want. FWIW this will solve one real problem: Lots of companies complain endlessly and mindlessly about CVEs based on package version(s) without regards to the issue being exploitable or even reachable (or built into the binary, in some cases!). Closing CVEs out will no doubt make them complain less, which sounds nice. Paul
