On Thu, Feb 19, 2015 at 07:29:29AM -0600, John Goerzen wrote:
However, part of what I was trying to figure out here is: do we have a lot of unpatched vulnerabilities in our archive?
Yes. Every system (not just debian) has unpatched vulnerabilities. In some cases those vulnerabilities are known, and in some cases those vulnerabilities are unknown. Fixing all of the vulnerabilities in general purpose software is effectively impossible. So the real question is, are there unfixed vulnerabilities worth fixing? The answer to that depends on the level of risk one is willing to take, and may include patching only vulnerabilities that are likely to be exploited, applying all potentially security-related patches, or intensively auditing the code and trying to fix all vulnerabilities. The question is made more difficult by the fact that applying patches can introduce new vulnerabilities--so fixing all low-risk vulnerabilities could potentially make things worse rather than better.
There are no good answers, and the better answers all require a great deal of effort. Debian may be able to do a better job of communicating why certain bugs are prioritized over others, but what really should matter to you is whether the assumptions used to prioritize each bug are valid for your particular environment. (That is, you need to review each bug at length.) For most people that level of effort isn't justified, and they are content to accept whatever is prioritized by their vendor. If there are specific cases where you think that the debian made the wrong call, it's reasonable to bring those up for discussion--people do make mistakes. But do understand that we will never get to zero bugs.
Mike Stone