On Tue, Feb 18, 2025, 8:56 AM Roberto C. Sánchez <robe...@debian.org> wrote:
> I agree that something like this effort is likely to reduce the > occurence of that sort of thing. And, yes, CVE is probably not a great > proxy. But Santiago has discussed this with quite a few of us on the LTS > team at various points along the way, and a better proxy hasn't been > found. > Fair enough - any prioritization is better than "bump everything" - this is at least actionable. I reckon as long as we all know (as I suspect we do at least in this thread) this may just be a list of "important packages plus packages someone looking to find a nail matching their hammer collection decided was high return on effort to find a bug" it's still totally worthwhile to do imvho. I can't think of any situation except the exceptional where we'd want to intentionally stay out of date with latest stable release of upstreams, so kudos for that work! Hopefully it also leads to the long tail of attack surface (that doesn't know it and never had a CVE) in Debian similarly being motivated to follow this example and update too. Thanks for all your hard work! Paul
