-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/02/13 08:56 AM, Wulf C. Krueger wrote: > On 01.02.2013 14:47, Rich Freeman wrote: >>> And how will you get to know about current or future security >>> issues if nobody (in Gentoo) cares about the package? >> The same way that you know about security issues in Firefox or >> Chromium [...] Until somebody tells upstream about them you're >> going to be vulnerable. > > Indeed. In contrast to many of the packages that were mentioned in > this thread, Firefox and Chromium have an active upstream, though. > > What do you think will happen to projects with a dead upstream? I > think the answer is pretty simple: Nothing.
Not really, no. A dead upstream means that there isn't an upstream to push a fix or release a new version. That's all. If security bugs occur then there's two options -- fix, or remove. So if the gentoo dev in question doesn't have time/ability/desire to fix, they or security remove it at that point. This isn't "nothing" to me; I must be missing something from your response? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iF4EAREIAAYFAlELyo8ACgkQ2ugaI38ACPC1FAD/fxM93LFEKtl8t87qc6QSIkTL HkQtk2t4xFQxoBAZNIUBALrMJxstxw4pBwOytiQfJq9CLxf3dOnUIQCdRDwIxA6Y =j28W -----END PGP SIGNATURE-----
