© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
Hello Zixing, we're not expecting Foundations to take on active SAST, DAST, test-case development, or code review, to proactively find security issues as part of this MIR process -- but we are expecting that Foundations will dedicate time to issues in this package as they are found if the fixes require "enough" time.
There's a wide spectrum of possible security issues from eg integer overflows that can be fixed with a single line of code through to monster refactors that change internal datastructures and algorithms extensively (hello samba!).
In the ideal case, this will be replaced with a supported parser before the next LTS and we'll never ask for any help.
I would expect in a project like this that an even really gross issue could be sorted -- or mitigated via removing features, etc -- with a week's effort. And there's probably only a few of those problems in this package. So think of it as potentially a week's engineering time every cycle. It'll probably never happen, but if it does, we'd want a response commensurate with our prioritization.
Thanks