Gentoo Archives: gentoo-security

From: "Hemmann
To: gentoo-dev@l.g.o, gentoo-security@l.g.o
Subject: Re: [gentoo-security] SearchSecurity.com: "Linux patch problems: Your distro may vary"
Date: Mon, 07 Aug 2006 17:57:41
Message-Id: 200608071948.08238.volker.armin.hemmann@tu-clausthal.de
In Reply to: [gentoo-security] SearchSecurity.com: "Linux patch problems: Your distro may vary" by Wolfram Schlich
On Monday 07 August 2006 13:42, Wolfram Schlich wrote:
> Hi, > > I just stumbled over an article from SearchSecurity.com which was linked to > in a heise newsticker posting that tries to analyze how fast distributions > react to security vulnerabilities: > > http://tinyurl.com/lplfb > > Quick chart: > > Rank Distro Points/100 > ---- ------------------------- ---------- > 1. Ubuntu 76 > 2. Fedora Core 70 > 3. Red Hat Enterprise Linux 63 > 4. Debian GNU/Linux 61 > 5. Mandriva Linux 54 > 6. Gentoo Linux 39 > 7. Trustix Secure Linux 32 > 8. SUSE Linux Enterprise 32 > 9. Slackware Linux 30 > > Rank 6 out of 10 is not a great result -- at least we beat SUSE ;) > > Any comments or thoughts about this? > Can we become better? > Are we maybe better than the author pretends? > Does the security team currently face serious problems that need to be > solved, be it inside or outside the security team?
comment? yes. I would like to know, if they counted until the patch/fix was announced or until it was available? If you are using unstable (~arch) you will get a lot of fixes BEFORE they are announced. So when the nice 'packet FOO is vulnerable, upgrade to FOO+1' arrives, you think 'gee.. I updated to FOO+1 two nights ago....'. So there is a difference between: fix is available for unstable, fix is available for stable, fix is announced. And I would like to know, which of the three got into that 'statistic'. -- gentoo-security@g.o mailing list