1 |
On Monday 07 August 2006 13:42, Wolfram Schlich wrote: |
2 |
> Hi, |
3 |
> |
4 |
> I just stumbled over an article from SearchSecurity.com which was linked to |
5 |
> in a heise newsticker posting that tries to analyze how fast distributions |
6 |
> react to security vulnerabilities: |
7 |
> |
8 |
> http://tinyurl.com/lplfb |
9 |
> |
10 |
> Quick chart: |
11 |
> |
12 |
> Rank Distro Points/100 |
13 |
> ---- ------------------------- ---------- |
14 |
> 1. Ubuntu 76 |
15 |
> 2. Fedora Core 70 |
16 |
> 3. Red Hat Enterprise Linux 63 |
17 |
> 4. Debian GNU/Linux 61 |
18 |
> 5. Mandriva Linux 54 |
19 |
> 6. Gentoo Linux 39 |
20 |
> 7. Trustix Secure Linux 32 |
21 |
> 8. SUSE Linux Enterprise 32 |
22 |
> 9. Slackware Linux 30 |
23 |
> |
24 |
> Rank 6 out of 10 is not a great result -- at least we beat SUSE ;) |
25 |
> |
26 |
> Any comments or thoughts about this? |
27 |
> Can we become better? |
28 |
> Are we maybe better than the author pretends? |
29 |
> Does the security team currently face serious problems that need to be |
30 |
> solved, be it inside or outside the security team? |
31 |
|
32 |
comment? |
33 |
yes. |
34 |
|
35 |
I would like to know, if they counted until the patch/fix was announced or |
36 |
until it was available? |
37 |
|
38 |
If you are using unstable (~arch) you will get a lot of fixes BEFORE they are |
39 |
announced. So when the nice 'packet FOO is vulnerable, upgrade to FOO+1' |
40 |
arrives, you think 'gee.. I updated to FOO+1 two nights ago....'. |
41 |
|
42 |
So there is a difference between: fix is available for unstable, fix is |
43 |
available for stable, fix is announced. |
44 |
|
45 |
And I would like to know, which of the three got into that 'statistic'. |
46 |
-- |
47 |
gentoo-security@g.o mailing list |