Using the nice tool Bugs Search @ UDD, I get these RC bug numbers:
Is this sort of disparity expected? Is this a bug in that tool?
The amount is correct, unfortunately. Though, there might still be a fair amount of false-positives in the list: Bugs filed after the release of lenny and actually only affecting squeeze, though the version information was the same time at the point when the bug was filed. Those bugs will need to get specially marked so that they are not considered to affect stable. This is a mission that I’ve set out to do, and only very few people joined my effort here.
About the remaining issues, there is a lot of minor security issues that the overworked security team consider minor enough and instead invest their time on more severe issues to get them fixed, leaving the ball with the maintainers of the packages. Sometimes though maintainers don’t see much sense in investing time into fixing bugs in stable, so those keep lying around unfortunately.
The number of bugs where simple patches wouldn’t do the trick, like thomas suggested, is actually not that big, there is still a lot of easy fixes out there. I am willing to mentor anyone to work on getting the lenny RC counter down, so feel free to contact me.
Yes it is expected.
Basically, Lenny has been around for a long time, giving people plenty of time to find its bugs.
Because it is stable, as a general rule it won’t accept any new versions or major changes in functionality unless it’s deemed necessary to fix a security issue, so any RC bugs that cannot be fixed with a simple patch will remain.
It shouldn’t necessarily be taken as an indication that Lenny is more buggy that Squeeze – the number of bug reports is not the same as the number of bugs. In a software product a lot of bugs tend to be reported quickly, then after time it trails off but there is a long tail of less obvious bugs that are reported long after a release, that build up when a release remains stable for a long time.