| 1 |
Wolfram Schlich <lists@×××××××××××××××.org> posted |
| 2 |
20060807114221.ALLYOURBASEAREBELONGTOUS.J1712@×××××××××.org, excerpted |
| 3 |
below, on Mon, 07 Aug 2006 13:42:21 +0200: |
| 4 |
|
| 5 |
> I just stumbled over an article from SearchSecurity.com which was linked |
| 6 |
> to in a heise newsticker posting that tries to analyze how fast |
| 7 |
> distributions react to security vulnerabilities: |
| 8 |
> |
| 9 |
> http://tinyurl.com/lplfb |
| 10 |
> |
| 11 |
> Quick chart: |
| 12 |
> |
| 13 |
> Rank Distro Points/100 ---- ------------------------- |
| 14 |
> ---------- 1. Ubuntu 76 |
| 15 |
> 2. Fedora Core 70 |
| 16 |
> 3. Red Hat Enterprise Linux 63 |
| 17 |
> 4. Debian GNU/Linux 61 |
| 18 |
> 5. Mandriva Linux 54 |
| 19 |
> 6. Gentoo Linux 39 |
| 20 |
> 7. Trustix Secure Linux 32 |
| 21 |
> 8. SUSE Linux Enterprise 32 |
| 22 |
> 9. Slackware Linux 30 |
| 23 |
> |
| 24 |
> Rank 6 out of 10 is not a great result -- at least we beat SUSE ;) |
| 25 |
|
| 26 |
I saw the same article and was similarly unhappy. One thing to note is |
| 27 |
that the timings, AFAIK, are based on the release of the security |
| 28 |
announcement for the distribution. With Gentoo, as others have pointed |
| 29 |
out, that means waiting for everybody to stabilize the update -- it's |
| 30 |
actually in the tree days/weeks before that. |
| 31 |
|
| 32 |
Realizing it's there for those who want it, well before the GLSA, is |
| 33 |
useful, altho it doesn't particularly help our standing or make us look |
| 34 |
that great. I do know however, that as a ~arch user, most of the time |
| 35 |
when I see a GLSA on the announce list, I check and I've had the fixed |
| 36 |
version installed for a week or more. |
| 37 |
|
| 38 |
For those who prefer stable, the above info can still be helpful. As long |
| 39 |
as you normally visit community sites such as LWN, which list security |
| 40 |
announcements when they become public (an article is created at the |
| 41 |
original announcement by the first distrib or the finder/upstream, then |
| 42 |
updated as the various distribs do their own announcements), the ebuilds |
| 43 |
are usually in the tree either at the moment of public announcement, or |
| 44 |
within 24 to 48 hours, best I can tell. There's nothing saying you have |
| 45 |
to wait for the GLSA or even for stable keywording. Once you see the |
| 46 |
announcement, check the tree for the version in question, or the |
| 47 |
changelog, as sometimes it's not a new version upstream so it's just a |
| 48 |
Gentoo -rX revision. You can then use package.keyword and etc. as |
| 49 |
appropriate, to get the security update, even if you normally use stable, |
| 50 |
days/weeks before the GLSA, and normally very soon after public |
| 51 |
announcement. |
| 52 |
|
| 53 |
-- |
| 54 |
Duncan - List replies preferred. No HTML msgs. |
| 55 |
"Every nonfree program has a lord, a master -- |
| 56 |
and if you use the program, he is your master." Richard Stallman |
| 57 |
|
| 58 |
-- |
| 59 |
gentoo-dev@g.o mailing list |
Archives