Re: Security Stats

To: debian-security@lists.debian.org
Subject: Re: Security Stats
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Thu, 25 Jul 2002 13:15:33 +0200
Message-id: <[🔎] 20020725111533.GB5629@dat.etsit.upm.es>
In-reply-to: <[🔎] 20020725000344.GA19186@zionlth.org>
References: <[🔎] 20020725000344.GA19186@zionlth.org>

On Wed, Jul 24, 2002 at 08:03:44PM -0400, Phillip Hofmeister wrote:
> All,
> 
> I am doing a college Honor's project on different distributions.  Data on
> Debian and it's security fixes would be helpful if it is available.  I would
> be looking for anythings useful in particular, the following:
> 
> How many security fixes each quarter for the past 2 or 3 quearters.
> How many packages have been supported during said time^
> Mean time until security update.
> 
> If this information is available it would be VERY useful

	I did such an study a while back (search the archives) for the
year 2001. It should be referenced from the "Securing Debian Manual" too
also (if you do not want to find the link yourself).

	In order to help make this kind of studies, the new DSAs published
on the website, and the metadata used to generate them, includes links to
vulnerability databases (CERT, Bugtraq and CVE). You could easily donwload
the WML sources of the web server (from the CVS) or use the HTML pages to
determine the time that it takes for Debian to fix vulnerabilities (since
you can parse the other databases for the reported time).

	I haven't gotten around to program it myself (but its on my TODO),
in any case, I have updated from time to time some published
vulnerabilities with links to CERT, Bugtraq and CVE that might not be
available at the time the DSA is published (otherwise the Security Team
does it already). Also, updates on the published information would be
appreciated them (please send tables, diffs, or whatever to
debian-www@lists.debian.org)

	Any developments to automate this would be appreciated (since the
study I did a while back was automated :) Also, I, for one, would
appreciate reading the Honor's project.

	OTOH, from what I've seen of other distributions is quite
difficult to retrieve this information (i.e. it's not yet in a way it can
be extracted easily, if at all) and you might need to rely exclusively on
the "vendor" information available in public databases.

	Regards

	Javi


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Security Stats
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

Prev by Date: Re: Portsentry issue/problem
Next by Date: unsubscribe
Previous by thread: Re: Security Stats
Next by thread: Re: Security Stats
Index(es):
- Date
- Thread