1 |
Wolfram Schlich <lists@×××××××××××××××.org> posted |
2 |
20060807114221.ALLYOURBASEAREBELONGTOUS.J1712@×××××××××.org, excerpted |
3 |
below, on Mon, 07 Aug 2006 13:42:21 +0200: |
4 |
|
5 |
> I just stumbled over an article from SearchSecurity.com which was linked |
6 |
> to in a heise newsticker posting that tries to analyze how fast |
7 |
> distributions react to security vulnerabilities: |
8 |
> |
9 |
> http://tinyurl.com/lplfb |
10 |
> |
11 |
> Quick chart: |
12 |
> |
13 |
> Rank Distro Points/100 ---- ------------------------- |
14 |
> ---------- 1. Ubuntu 76 |
15 |
> 2. Fedora Core 70 |
16 |
> 3. Red Hat Enterprise Linux 63 |
17 |
> 4. Debian GNU/Linux 61 |
18 |
> 5. Mandriva Linux 54 |
19 |
> 6. Gentoo Linux 39 |
20 |
> 7. Trustix Secure Linux 32 |
21 |
> 8. SUSE Linux Enterprise 32 |
22 |
> 9. Slackware Linux 30 |
23 |
> |
24 |
> Rank 6 out of 10 is not a great result -- at least we beat SUSE ;) |
25 |
|
26 |
I saw the same article and was similarly unhappy. One thing to note is |
27 |
that the timings, AFAIK, are based on the release of the security |
28 |
announcement for the distribution. With Gentoo, as others have pointed |
29 |
out, that means waiting for everybody to stabilize the update -- it's |
30 |
actually in the tree days/weeks before that. |
31 |
|
32 |
Realizing it's there for those who want it, well before the GLSA, is |
33 |
useful, altho it doesn't particularly help our standing or make us look |
34 |
that great. I do know however, that as a ~arch user, most of the time |
35 |
when I see a GLSA on the announce list, I check and I've had the fixed |
36 |
version installed for a week or more. |
37 |
|
38 |
For those who prefer stable, the above info can still be helpful. As long |
39 |
as you normally visit community sites such as LWN, which list security |
40 |
announcements when they become public (an article is created at the |
41 |
original announcement by the first distrib or the finder/upstream, then |
42 |
updated as the various distribs do their own announcements), the ebuilds |
43 |
are usually in the tree either at the moment of public announcement, or |
44 |
within 24 to 48 hours, best I can tell. There's nothing saying you have |
45 |
to wait for the GLSA or even for stable keywording. Once you see the |
46 |
announcement, check the tree for the version in question, or the |
47 |
changelog, as sometimes it's not a new version upstream so it's just a |
48 |
Gentoo -rX revision. You can then use package.keyword and etc. as |
49 |
appropriate, to get the security update, even if you normally use stable, |
50 |
days/weeks before the GLSA, and normally very soon after public |
51 |
announcement. |
52 |
|
53 |
-- |
54 |
Duncan - List replies preferred. No HTML msgs. |
55 |
"Every nonfree program has a lord, a master -- |
56 |
and if you use the program, he is your master." Richard Stallman |
57 |
|
58 |
-- |
59 |
gentoo-dev@g.o mailing list |