Brian Nelson wrote: > First of all, the sarge security autobuilders are still not yet > functional, which is the biggest thing holding back the release.
But until we have released, those autobuilders would not be used for security updates for sarge anyway. Security fixes are currently reaching sarge in the usual way. > Based on data I've seen, testing typically has around 50-100 open > security vulnerabilities at any time. That number is a little lower now > because we're so close to release, but there are still around 30. What data do you base the figure of 100 on? The mail you refered to contained duplicates in its lists between CANs and DSAs. Of course counting security holes is an iffy business anyway, since a given CAN may stand in for one or a dozen holes, or a set of several CANs might cover some holes that are closely related and all fixed in the same upload to debian. And of course the mail you referred to represents an effort to back-check over two years of security holes against sarge. Since this has, AFAIK, never been done for a previous Debian release, there's no data for comparison. -- see shy jo
signature.asc
Description: Digital signature
