Bug#339837: http://www.debian.org/security/ seriously misleading about security infrastructure performance
Javier Fernández-Sanguino Peña a écrit :
On Sat, Nov 19, 2005 at 06:03:13PM -0500, Filipus Klutiero wrote:
I'd like to be sure about which claim you refer to. The current claim is
the one that says that Debian *does* issue fixes for most problems under
48 hours, right? I'm asking since if I understand right the statistics
you produced do make the bug valid.
I don't know where the current claim comes from, you'll have to ask the
OK, that's not what I was asking, but you answered my question anyway :)
Thanks, that's quite useful stuff. I have been wondering if such data
was available since some time. Are you aware if there's an effort to
continue evaluating the security performance? Perhaps I should ask
Andreas Barth or Joey Hess instead? Note, while I don't have much time,
I'd be somewhat willing to participate in such an effort.
One thing I don't understand in the PDF is that there's a difference
between "Mean time" and "Average time". Apparently both of us aren't
native English speakers. I'm more familiar with the meaning of average
and median. When "mean" is used like you use it, does it mean "median"?
Now what confuses me is that you're asking to produce evidence against
the current claim, but according to your stats the median time is indeed
above 48 hours, isn't it? I count only 84 entries out of the 239 with a
Diff < 3 (although counting all Diff=2 is a bit generous). And as your
document says, the trend seems to make latency go up with time (I don't
expect things to have improved).
But maybe you're simply saying that we should trust www.debian.org
assuming that things have improved, and you're simply asking to collect
more current data? If that's it, I'd like to ask www.debian.org to
suggest a method that would convince them of removing or changing the
current claim. I'd like this to include (what timeframe/how many
security issues) to review. Then I'm going to consider the bug on my side.
That looks interesting but also like a 404. I red your 2001 post and one
of the attachments is integrated in the text. I don't know how to view
it. I also don't know how to use the bin00000.bin attached. gunzip-ing
and trying a PNG viewer on it seemed to fail.
Oh, it should have been: