the_JinX
February 8th, 2002, 05:26 PM
Hi all,
Today I read this on : http://lwn.net/
Whew. That is a total of 290 updates for 145 unique vulnerabilities. It would seem that the vnunet article actually underestimated the problem. A quick look at the totals suggests that Turbolinux is the most secure distribution with only 28 updates, while Debian and Mandrake top the list at 81. It must be time to put out a press release. That is, of course, complete nonsense. Why do the different distributors have different numbers of updates? Here's a few reasons: Not all distributors ship the same packages. Debian, due to its size, is almost guaranteed to have more issues than any other distribution. Very few others ship packages like cfingerd or xtel. Distributors sometimes combine multiple fixes into a single update - especially if they are running behind. The number of updates puts a lower bound on the number of security problems fixed, but doesn't tell much more than that. Some distributors are rather better at getting updates out than others. All distributions, for example, were vulnerable to the latest glibc buffer overflow problem. Debian's update came out in January, and thus didn't quite make the 2001 table. Turbolinux has yet to issue an update for that problem, and for many others. If you simply count and compare updates, you will penalize the distributions that are more serious about security. In other words, we are not yet at a point where we can make meaningful comparisons even between Linux distributions. Trying to compare Linux with Windows seems like a waste of time. In the end, there is only so much to be learned about the security of an operating system by counting its published vulnerabilities. One has to look at the seriousness of each, how it was discovered (internal audit or external exploit), how long users had to wait for a fix, and how many users were actually compromised as a result of the problem. We need better ways of understanding and comparing security response; simply counting vulnerabilities is not sufficient.
I thought you might like to know this...
Today I read this on : http://lwn.net/
Whew. That is a total of 290 updates for 145 unique vulnerabilities. It would seem that the vnunet article actually underestimated the problem. A quick look at the totals suggests that Turbolinux is the most secure distribution with only 28 updates, while Debian and Mandrake top the list at 81. It must be time to put out a press release. That is, of course, complete nonsense. Why do the different distributors have different numbers of updates? Here's a few reasons: Not all distributors ship the same packages. Debian, due to its size, is almost guaranteed to have more issues than any other distribution. Very few others ship packages like cfingerd or xtel. Distributors sometimes combine multiple fixes into a single update - especially if they are running behind. The number of updates puts a lower bound on the number of security problems fixed, but doesn't tell much more than that. Some distributors are rather better at getting updates out than others. All distributions, for example, were vulnerable to the latest glibc buffer overflow problem. Debian's update came out in January, and thus didn't quite make the 2001 table. Turbolinux has yet to issue an update for that problem, and for many others. If you simply count and compare updates, you will penalize the distributions that are more serious about security. In other words, we are not yet at a point where we can make meaningful comparisons even between Linux distributions. Trying to compare Linux with Windows seems like a waste of time. In the end, there is only so much to be learned about the security of an operating system by counting its published vulnerabilities. One has to look at the seriousness of each, how it was discovered (internal audit or external exploit), how long users had to wait for a fix, and how many users were actually compromised as a result of the problem. We need better ways of understanding and comparing security response; simply counting vulnerabilities is not sufficient.
I thought you might like to know this...