Hi,<br>
<br>
1) I'm not sure that calculations given in an article are good. <br>
Average alone does not give a lot of information. For example:<br>
<br>
(1+90)/2 = 45.5 and (45+46)/2 = 45.5<br>
<br>
it would be similar that 1 point if patch is released very late<br>
90 if released very early and 45,46 in the midle. As one can <br>
see, release time differs very much, but the average is the <br>
same. So average alone does not give a lot of information.<br>
Different story would be if together with average there would<br>
be standard distribution, average alone is not enough.<br>
<br>
2) I don't think that this calculation can be used for future<br>
planings: " what system will be better". Statisticaly we should<br>
apply "z" or atleast "t" statistics instead of simple average.<br>
<br>
Generaly speaking, calculations given in an article are the simplest<br>
ones tought in primary school. I did not find anything from<br>
advanced statistics according to which the rating could be applied.<br>
<br>
elwis<br>
<br><br><div><span class="gmail_quote">On 8/7/06, <b class="gmail_sendername">Vincent Rivellino</b> <<a href="mailto:vince@...">vince@...</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>Interesting study. I like the premise of it. However, I'm not sure I<br>agree with their method. From the article:<br><br>"For instance, if a distribution fixed an issue on the earliest date, it
<br>would receive a score of 100 for that issue; if it was the last vendor to<br>fix the issue, it would get a score of 0. One can then average the scores<br>after evaluating the 30 issues."<br><br>So this is just a ranking, with no quantitative results. What I'd really
<br>like to know are the distributions' average response times for the High<br>and Moderate vulnerabilities.<br><br>While Gentoo might be 6th, I'd like to know how much slower Gentoo gets<br>out patches than Ubuntu, Fedora, and/or RHEL.
<br><br><br>- -Vince<br><br><br>- --<br>Vincent Rivellino<br>GPG Key ID: 62BFEBE4<br><a href="https://cuz.cx/gpg">https://cuz.cx/gpg</a><br><br><br>On Mon, August 7, 2006 07:42, Wolfram Schlich wrote:<br>> Hi,<br>><br>
><br>> I just stumbled over an article from SearchSecurity.com which was linked<br>> to in a heise newsticker posting that tries to analyze how fast<br>> distributions react to security vulnerabilities:<br>>
<br>> <a href="http://tinyurl.com/lplfb">http://tinyurl.com/lplfb</a><br>><br>><br>> Quick chart:<br>><br>><br>>
Rank
Distro Points/100<br>> ---- ------------------------- ----------<br>>
1.
Ubuntu 76<br>> 2. Fedora Core 70<br>> 3. Red Hat Enterprise Linux 63<br>> 4. Debian GNU/Linux 61<br>> 5. Mandriva Linux 54<br>> 6. Gentoo Linux 39
<br>> 7. Trustix Secure Linux 32<br>> 8. SUSE Linux Enterprise 32<br>> 9. Slackware Linux 30<br>><br>><br>> Rank 6 out of 10 is not a great result -- at least we beat SUSE ;)<br>
><br>><br>> Any comments or thoughts about this?<br>> Can we become better?<br>> Are we maybe better than the author pretends?<br>> Does the security team currently face serious problems that need to be<br>
> solved, be it inside or outside the security team?<br>><br>> I am just curious and would be glad to get some feedback :)<br>> --<br>> Regards,<br>> Wolfram Schlich <<a href="mailto:wschlich@g.o">
wschlich@g.o</a>><br>> Gentoo Linux * <a href="http://dev.gentoo.org/~wschlich/">http://dev.gentoo.org/~wschlich/</a><br>> --<br>> <a href="mailto:gentoo-security@g.o">gentoo-security@g.o</a>
mailing list<br>><br>><br><br><br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.4 (GNU/Linux)<br><br>iD8DBQFE12eKhUAfdmK/6+QRAm4sAJ9U4hDbql8b5Du7ELWTclnBdwXONACghkRk<br>PLfad2L0hjQZ99puzngf4nU=<br>=/aSm<br>-----END PGP SIGNATURE-----
<br><br>--<br><a href="mailto:gentoo-security@g.o">gentoo-security@g.o</a> mailing list<br><br></blockquote></div><br><br clear="all"><br>-- <br>Eilverijus Kondratas<br>Master studies in Computer Science<br>
Free University of Bozen-Bolzano<br>Italy, Bolzano
|
