Mailing List Archive

Re: SearchSecurity.com: 'Linux patch problems: Your distro may vary'
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Interesting study. I like the premise of it. However, I'm not sure I
agree with their method. From the article:

"For instance, if a distribution fixed an issue on the earliest date, it
would receive a score of 100 for that issue; if it was the last vendor to
fix the issue, it would get a score of 0. One can then average the scores
after evaluating the 30 issues."

So this is just a ranking, with no quantitative results. What I'd really
like to know are the distributions' average response times for the High
and Moderate vulnerabilities.

While Gentoo might be 6th, I'd like to know how much slower Gentoo gets
out patches than Ubuntu, Fedora, and/or RHEL.


- -Vince


- --
Vincent Rivellino
GPG Key ID: 62BFEBE4
https://cuz.cx/gpg


On Mon, August 7, 2006 07:42, Wolfram Schlich wrote:
> Hi,
>
>
> I just stumbled over an article from SearchSecurity.com which was linked
> to in a heise newsticker posting that tries to analyze how fast
> distributions react to security vulnerabilities:
>
> http://tinyurl.com/lplfb
>
>
> Quick chart:
>
>
> Rank Distro Points/100
> ---- ------------------------- ----------
> 1. Ubuntu 76
> 2. Fedora Core 70
> 3. Red Hat Enterprise Linux 63
> 4. Debian GNU/Linux 61
> 5. Mandriva Linux 54
> 6. Gentoo Linux 39
> 7. Trustix Secure Linux 32
> 8. SUSE Linux Enterprise 32
> 9. Slackware Linux 30
>
>
> Rank 6 out of 10 is not a great result -- at least we beat SUSE ;)
>
>
> Any comments or thoughts about this?
> Can we become better?
> Are we maybe better than the author pretends?
> Does the security team currently face serious problems that need to be
> solved, be it inside or outside the security team?
>
> I am just curious and would be glad to get some feedback :)
> --
> Regards,
> Wolfram Schlich <wschlich@gentoo.org>
> Gentoo Linux * http://dev.gentoo.org/~wschlich/
> --
> gentoo-security@gentoo.org mailing list
>
>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFE12eKhUAfdmK/6+QRAm4sAJ9U4hDbql8b5Du7ELWTclnBdwXONACghkRk
PLfad2L0hjQZ99puzngf4nU=
=/aSm
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list
Re: SearchSecurity.com: 'Linux patch problems: Your distro may vary' [ In reply to ]
Hi,

1) I'm not sure that calculations given in an article are good.
Average alone does not give a lot of information. For example:

(1+90)/2 = 45.5 and (45+46)/2 = 45.5

it would be similar that 1 point if patch is released very late
90 if released very early and 45,46 in the midle. As one can
see, release time differs very much, but the average is the
same. So average alone does not give a lot of information.
Different story would be if together with average there would
be standard distribution, average alone is not enough.

2) I don't think that this calculation can be used for future
planings: " what system will be better". Statisticaly we should
apply "z" or atleast "t" statistics instead of simple average.

Generaly speaking, calculations given in an article are the simplest
ones tought in primary school. I did not find anything from
advanced statistics according to which the rating could be applied.

elwis


On 8/7/06, Vincent Rivellino <vince@rivellino.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Interesting study. I like the premise of it. However, I'm not sure I
> agree with their method. From the article:
>
> "For instance, if a distribution fixed an issue on the earliest date, it
> would receive a score of 100 for that issue; if it was the last vendor to
> fix the issue, it would get a score of 0. One can then average the scores
> after evaluating the 30 issues."
>
> So this is just a ranking, with no quantitative results. What I'd really
> like to know are the distributions' average response times for the High
> and Moderate vulnerabilities.
>
> While Gentoo might be 6th, I'd like to know how much slower Gentoo gets
> out patches than Ubuntu, Fedora, and/or RHEL.
>
>
> - -Vince
>
>
> - --
> Vincent Rivellino
> GPG Key ID: 62BFEBE4
> https://cuz.cx/gpg
>
>
> On Mon, August 7, 2006 07:42, Wolfram Schlich wrote:
> > Hi,
> >
> >
> > I just stumbled over an article from SearchSecurity.com which was linked
> > to in a heise newsticker posting that tries to analyze how fast
> > distributions react to security vulnerabilities:
> >
> > http://tinyurl.com/lplfb
> >
> >
> > Quick chart:
> >
> >
> > Rank Distro Points/100
> > ---- ------------------------- ----------
> > 1. Ubuntu 76
> > 2. Fedora Core 70
> > 3. Red Hat Enterprise Linux 63
> > 4. Debian GNU/Linux 61
> > 5. Mandriva Linux 54
> > 6. Gentoo Linux 39
> > 7. Trustix Secure Linux 32
> > 8. SUSE Linux Enterprise 32
> > 9. Slackware Linux 30
> >
> >
> > Rank 6 out of 10 is not a great result -- at least we beat SUSE ;)
> >
> >
> > Any comments or thoughts about this?
> > Can we become better?
> > Are we maybe better than the author pretends?
> > Does the security team currently face serious problems that need to be
> > solved, be it inside or outside the security team?
> >
> > I am just curious and would be glad to get some feedback :)
> > --
> > Regards,
> > Wolfram Schlich <wschlich@gentoo.org>
> > Gentoo Linux * http://dev.gentoo.org/~wschlich/
> > --
> > gentoo-security@gentoo.org mailing list
> >
> >
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (GNU/Linux)
>
> iD8DBQFE12eKhUAfdmK/6+QRAm4sAJ9U4hDbql8b5Du7ELWTclnBdwXONACghkRk
> PLfad2L0hjQZ99puzngf4nU=
> =/aSm
> -----END PGP SIGNATURE-----
>
> --
> gentoo-security@gentoo.org mailing list
>
>


--
Eilverijus Kondratas
Master studies in Computer Science
Free University of Bozen-Bolzano
Italy, Bolzano
Re: SearchSecurity.com: 'Linux patch problems: Your distro may vary' [ In reply to ]
On Wednesday 09 August 2006 07:53, Eilverijus Kondratas wrote:
> ) I don't think that this calculation can be used for future
> planings: " what system will be better". Statisticaly we should
> apply "z" or atleast "t" statistics instead of simple average.
>
> Generaly speaking, calculations given in an article are the simplest
> ones tought in primary school. I did not find anything from
> advanced statistics according to which the rating could be applied.

So, perhaps we should request the data-set from the authors and apply some
more (re)gressive statistics to the problem.

Regards,

- Brian
--
gentoo-security@gentoo.org mailing list