| 1 |
On Monday 07 August 2006 13:42, Wolfram Schlich wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> I just stumbled over an article from SearchSecurity.com which was linked to |
| 5 |
> in a heise newsticker posting that tries to analyze how fast distributions |
| 6 |
> react to security vulnerabilities: |
| 7 |
> |
| 8 |
> http://tinyurl.com/lplfb |
| 9 |
> |
| 10 |
> Quick chart: |
| 11 |
> |
| 12 |
> Rank Distro Points/100 |
| 13 |
> ---- ------------------------- ---------- |
| 14 |
> 1. Ubuntu 76 |
| 15 |
> 2. Fedora Core 70 |
| 16 |
> 3. Red Hat Enterprise Linux 63 |
| 17 |
> 4. Debian GNU/Linux 61 |
| 18 |
> 5. Mandriva Linux 54 |
| 19 |
> 6. Gentoo Linux 39 |
| 20 |
> 7. Trustix Secure Linux 32 |
| 21 |
> 8. SUSE Linux Enterprise 32 |
| 22 |
> 9. Slackware Linux 30 |
| 23 |
> |
| 24 |
> Rank 6 out of 10 is not a great result -- at least we beat SUSE ;) |
| 25 |
> |
| 26 |
> Any comments or thoughts about this? |
| 27 |
> Can we become better? |
| 28 |
> Are we maybe better than the author pretends? |
| 29 |
> Does the security team currently face serious problems that need to be |
| 30 |
> solved, be it inside or outside the security team? |
| 31 |
|
| 32 |
comment? |
| 33 |
yes. |
| 34 |
|
| 35 |
I would like to know, if they counted until the patch/fix was announced or |
| 36 |
until it was available? |
| 37 |
|
| 38 |
If you are using unstable (~arch) you will get a lot of fixes BEFORE they are |
| 39 |
announced. So when the nice 'packet FOO is vulnerable, upgrade to FOO+1' |
| 40 |
arrives, you think 'gee.. I updated to FOO+1 two nights ago....'. |
| 41 |
|
| 42 |
So there is a difference between: fix is available for unstable, fix is |
| 43 |
available for stable, fix is announced. |
| 44 |
|
| 45 |
And I would like to know, which of the three got into that 'statistic'. |
| 46 |
-- |
| 47 |
gentoo-security@g.o mailing list |
Archives