Javier Fernández-Sanguino Peña a écrit :
I don't know what that data comes from, but I did produce some statistics a while back: http://www.debian.org/News/2004/20040406 http://lists.debian.org/debian-security/2001/12/msg00257.html I guess that whomever disagrees with the current claim should produce hard evidence against it.
Hi Javier,I'd like to be sure about which claim you refer to. The current claim is the one that says that Debian *does* issue fixes for most problems under 48 hours, right? I'm asking since if I understand right the statistics you produced do make the bug valid.
That looks interesting but also like a 404. I red your 2001 post and one of the attachments is integrated in the text. I don't know how to view it. I also don't know how to use the bin00000.bin attached. gunzip-ing and trying a PNG viewer on it seemed to fail.It is not that difficult to craft, just take the CVE database, other vendor's advisories, Bugtraq and our list of DSAs, put it in the same database and generate a report of "time to fix" in Debian for the woody/sarge releases. Regards Javier PS: Contact me through private e-mail if anybody wants some of the scripts I used for the statistics above. BTW, some of the data is available at http://people.debian.org/~jfs/debconf/security/data/, but not the scripts.