Re: Debian security being trashed in Linux Today comments

To: debian-security list <debian-security@lists.debian.org>
Subject: Re: Debian security being trashed in Linux Today comments
From: Colin Phipps <cph@netcraft.com>
Date: Tue, 15 Jan 2002 13:52:47 +0000
Message-id: <[🔎] 20020115135247.GA2119@netcraft.com>
Mail-followup-to: debian-security list <debian-security@lists.debian.org>
In-reply-to: <[🔎] 1011098571.4630.0.camel@web>
References: <[🔎] 20020114181646.L12133@alanya.lupe-christoph.de> <[🔎] HPEJLJPGLJEDODFNGGHMCEAHCAAA.jeremy@home.lan> <[🔎] 20020115032020.GE8902@llama.nslug.ns.ca> <[🔎] 20020115092320.W12133@alanya.lupe-christoph.de> <[🔎] 20020115120712.GF3595@dat.etsit.upm.es> <[🔎] 1011098571.4630.0.camel@web>

On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote:
> "...it took the Debian Security Team an average of 35 days to fix
> security-related vulnerabilites."
> 
> An average based upon a very long tail is highly misleading. Please
> quote the median time to fix a vulnerability instead.

It is not misleading in this case, the tail is the _most_ important part
of the data.  It doesn't matter if we patch every other hole in 10
minutes if we leave one open for months.

Furthermore I think the mean is exactly the right measure of this: from
the user point of view, the important figure is total exposure time,
i.e. sum of time between vulnerability discovery and patch (for
installed packages) for all vulns. For someone who installs every Debian
package, this is equal to (# of vulnerabilities)x(mean time to patch).
The former measures how well packages are audited in advance, the latter
measures how quickly vulnerabilities are corrected. It's the right
statistic.

-- 
Colin Phipps         PGP 0x689E463E     http://www.netcraft.com/

Reply to:

Follow-Ups:
- Re: Debian security being trashed in Linux Today comments
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: Debian security being trashed in Linux Today comments
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: Debian security being trashed in Linux Today comments
  - From: "Karl E. Jorgensen" <karl@jorgensen.com>

References:
- Re: Debian security being trashed in Linux Today comments
  - From: Lupe Christoph <lupe@lupe-christoph.de>
- RE: Debian security being trashed in Linux Today comments
  - From: "Jeremy L. Gaddis" <jlgaddis@blueriver.net>
- Re: Debian security being trashed in Linux Today comments
  - From: Peter Cordes <peter@llama.nslug.ns.ca>
- Re: Debian security being trashed in Linux Today comments
  - From: Lupe Christoph <lupe@lupe-christoph.de>
- Re: Debian security being trashed in Linux Today comments
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: Debian security being trashed in Linux Today comments
  - From: Adam Warner <lists@consulting.net.nz>

Prev by Date: Re: default security
Next by Date: Re: Debian security being trashed in Linux Today comments
Previous by thread: Re: Debian security being trashed in Linux Today comments
Next by thread: Re: Debian security being trashed in Linux Today comments
Index(es):
- Date
- Thread