Davide Prina <davide.pr...@gmail.com>wrote: > you must understand that who report a security problem can be a different > person
The point is, to quote the paper: "a vast majority of vulnerabilities and their corresponding security patches remain beyond public exposure" Vulnerabilities are fixed in fresh versions of software. The versions in Stable stay vulnerable, even if all CVEs are reported to Debian (which I don't think is the case) and even if they are all fixed quickly (which is definitely not the case) It's a limitation of Debian's and RH's approach, compared to the rolling-release approach. This is one of the two things I mentioned that debian.org/security is not telling you. > chromium has been removed from testing That doesn't help people who trusted debian.org/security and are running it. -- Sent with https://mailfence.com Secure and private email
