Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: "Eilverijus Kondratas" <eilwerijus@...>
Subject: Re: SearchSecurity.com: 'Linux patch problems: Your distro may vary'
Date: Wed, 9 Aug 2006 12:53:08 +0000
Hi,<br>
<br>
1) I'm not sure that calculations given in an article are good. <br>
Average alone does not give a lot of information. For example:<br>
<br>
(1+90)/2 = 45.5&nbsp;&nbsp;&nbsp; and&nbsp;&nbsp;&nbsp;&nbsp; (45+46)/2 = 45.5<br>
<br>
it would be similar that 1 point if patch is released very late<br>
90 if released very early and 45,46 in the midle. As one can <br>
see, release time differs very much, but the average is the <br>
same. So average alone does not give a lot of information.<br>
Different story would be if together with average there would<br>
be standard distribution, average alone is not enough.<br>
<br>
2) I don't think that this calculation can be used for future<br>
planings: &quot; what system will be better&quot;. Statisticaly we should<br>
apply &quot;z&quot; or atleast &quot;t&quot; statistics instead of simple average.<br>
<br>
Generaly speaking, calculations given in an article are the simplest<br>
ones tought in primary school. I did not find anything from<br>
advanced statistics according to which the rating could be applied.<br>
<br>
elwis<br>
<br><br><div><span class="gmail_quote">On 8/7/06, <b class="gmail_sendername">Vincent Rivellino</b> &lt;<a href="mailto:vince@...">vince@...</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>Interesting study.&nbsp;&nbsp;I like the premise of it.&nbsp;&nbsp;However, I'm not sure I<br>agree with their method.&nbsp;&nbsp;From the article:<br><br>&quot;For instance, if a distribution fixed an issue on the earliest date, it
<br>would receive a score of 100 for that issue; if it was the last vendor to<br>fix the issue, it would get a score of 0. One can then average the scores<br>after evaluating the 30 issues.&quot;<br><br>So this is just a ranking, with no quantitative results.&nbsp;&nbsp;What I'd really
<br>like to know are the distributions' average response times for the High<br>and Moderate vulnerabilities.<br><br>While Gentoo might be 6th, I'd like to know how much slower Gentoo gets<br>out patches than Ubuntu, Fedora, and/or RHEL.
<br><br><br>- -Vince<br><br><br>- --<br>Vincent Rivellino<br>GPG Key ID: 62BFEBE4<br><a href="https://cuz.cx/gpg">https://cuz.cx/gpg</a><br><br><br>On Mon, August 7, 2006 07:42, Wolfram Schlich wrote:<br>&gt; Hi,<br>&gt;<br>
&gt;<br>&gt; I just stumbled over an article from SearchSecurity.com which was linked<br>&gt; to in a heise newsticker posting that tries to analyze how fast<br>&gt; distributions react to security vulnerabilities:<br>&gt;
<br>&gt; <a href="http://tinyurl.com/lplfb">http://tinyurl.com/lplfb</a><br>&gt;<br>&gt;<br>&gt; Quick chart:<br>&gt;<br>&gt;<br>&gt;
Rank
Distro&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Points/100<br>&gt; ---- ------------------------- ----------<br>&gt;
1.&nbsp;&nbsp;
Ubuntu&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;76<br>&gt; 2.&nbsp;&nbsp; Fedora Core&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 70<br>&gt; 3.&nbsp;&nbsp; Red Hat Enterprise Linux&nbsp;&nbsp;63<br>&gt; 4.&nbsp;&nbsp; Debian GNU/Linux&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;61<br>&gt; 5.&nbsp;&nbsp; Mandriva Linux&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;54<br>&gt; 6.&nbsp;&nbsp; Gentoo Linux&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;39
<br>&gt; 7.&nbsp;&nbsp; Trustix Secure Linux&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;32<br>&gt; 8.&nbsp;&nbsp; SUSE Linux Enterprise&nbsp;&nbsp;&nbsp;&nbsp; 32<br>&gt; 9.&nbsp;&nbsp; Slackware Linux&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30<br>&gt;<br>&gt;<br>&gt; Rank 6 out of 10 is not a great result -- at least we beat SUSE ;)<br>
&gt;<br>&gt;<br>&gt; Any comments or thoughts about this?<br>&gt; Can we become better?<br>&gt; Are we maybe better than the author pretends?<br>&gt; Does the security team currently face serious problems that need to be<br>
&gt; solved, be it inside or outside the security team?<br>&gt;<br>&gt; I am just curious and would be glad to get some feedback :)<br>&gt; --<br>&gt; Regards,<br>&gt; Wolfram Schlich &lt;<a href="mailto:wschlich@g.o">
wschlich@g.o</a>&gt;<br>&gt; Gentoo Linux * <a href="http://dev.gentoo.org/~wschlich/">http://dev.gentoo.org/~wschlich/</a><br>&gt; --<br>&gt; <a href="mailto:gentoo-security@g.o">gentoo-security@g.o</a>
 mailing list<br>&gt;<br>&gt;<br><br><br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.4 (GNU/Linux)<br><br>iD8DBQFE12eKhUAfdmK/6+QRAm4sAJ9U4hDbql8b5Du7ELWTclnBdwXONACghkRk<br>PLfad2L0hjQZ99puzngf4nU=<br>=/aSm<br>-----END PGP SIGNATURE-----
<br><br>--<br><a href="mailto:gentoo-security@g.o">gentoo-security@g.o</a> mailing list<br><br></blockquote></div><br><br clear="all"><br>-- <br>Eilverijus Kondratas<br>Master studies in Computer Science<br>
Free University of Bozen-Bolzano<br>Italy, Bolzano
Replies:
Re: SearchSecurity.com: 'Linux patch problems: Your distro may vary'
-- Brian G. Peterson
References:
SearchSecurity.com: "Linux patch problems: Your distro may vary"
-- Wolfram Schlich
Re: SearchSecurity.com: 'Linux patch problems: Your distro may vary'
-- Vincent Rivellino
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: SearchSecurity.com: 'Linux patch problems: Your distro may vary'
Next by thread:
Re: SearchSecurity.com: 'Linux patch problems: Your distro may vary'
Previous by date:
Re: SearchSecurity.com: "Linux patch problems: Your distro may vary"
Next by date:
Re: SearchSecurity.com: 'Linux patch problems: Your distro may vary'


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.