Linux Distribution Security Report -- disappointing
In <http://www.securityportal.com/cover/coverstory20000724.html>, you
state:
> I have not fully covered Slackware and Debian, with their ridiculously
> slow release schedules.
I'm very disappointed on two levels: First that you provide such a
comprehensive and useful report and yes omit one of the more popular linux
distributions[6], and second that you have made such an erroneous assumption
about Debian's release methodology.
Your main mistake is that you have failed to realize that Debian
releases timely security fixes, which are distributed to Debian users
via the internet. Users can choose to configure their systems to receive
these updates[1]. This makes release intervals orthogonal to whether users
receive security fixes.
Moreover, Debian has _frequent_ minor releases. These releases consist
mostly of security fixes, and they serve to get the security fixes out
to fresh Debian installs, plus to anyone who installs from CD and does
not set up their system to receive security fixes via the net. You may
have missed these releases, since in Debian, "2.1" is a new major
release (with an implied "r1"), while "2.1r2" is the first minor release
-- an unusual nomenclature compared to the other distributions.
Interestingly, minor releases of Debian 2.1 have occurred more frequently
than minor releases of Red Hat 6 (which, as you note, "shoves a new version
out the door every 6 months like clockwork").
Debian Red Hat
2.1
8 days
2.1r2
167 days
2.1r3 6.0
104 days 161 days
2.1r4 6.1
117 days 175 days
2.1r5 6.2
[ Interestingly, a poster on slashdot has numbers[5] that show that
the other distribution you left out (Slackware) also releases just as
frequently as Red Hat. ]
In light of these problems, I think it would be quite beneficial if you
added Debian to your paper. Security announcement since 1998 are
archived in both the archives of the debian-security-announce mailing
list[3], and on http://security.debian.org/ (which also includes
advisories from 1997). So, I dug up some numbers (I read the changelog
pointed to by footnote 2, and counted security fixes. This is probably
not as accurate as your numbers.)
Release Security Alerts
2.1 1
2.1r2 16
2.1r3 19
2.1r4 5
2.1r5
Moving on to the second part of your paper, specific incidents and how
quickly distributions responded, I've looked up some data on Debian's
responses.
Local root exploit in kernel <2.2.15, announced on June 8th.
On June 12th, Debian announced[4] it had fixed the hole *before*
the exploit was announced, and thus was not vulnerable.
fdmount, announced May 22.
Debian has never installed it suid, and thus has never been
vulnerable (as you noted -- thanks).
By the way, I think this section of your paper looked at too few holes to
draw any real conclusions from. But Debian seems to have been near the
head of the pack in this limited sampling.
In closing, I'd like to point out that the current 1 and a half 5 year --
not 2 year as you continually state -- gap between Debian 2.1 and 2.2 is
so far an exception, and not -- as you continually imply -- a rule. Major
Debian releases:
1.1
6 months
1.2
7 months
1.3
12 months
2.0
8 months
2.1
(19 months?)
2.2
--
see shy jo, fond of lies, damn lies, and statistics
[1] (For instructions to configure a Debian system to receive such fixes,
see for example, http://security.debian.org/, in the 5th paragraph.)
[2] This information from ftp://ftp.debian.org/debian/dists/stable/Debian2.1r5
[3] http://www.debian.org/Lists-Archives/debian-security-announce-98/threads.html
http://www.debian.org/Lists-Archives/debian-security-announce-99/threads.html
http://www.debian.org/Lists-Archives/debian-security-announce-00/threads.html
[4] http://www.debian.org/security/2000/20000612
[5] http://slashdot.org/comments.pl?sid=00/07/25/1444233&cid=141
[6] I'm not going to argue this in detail, but just see how people reacted to
your ommissions on slashdot. Debian has a rather large mindshare, though
its market share is less quantifiable.
http://slashdot.org/article.pl?sid=00/07/25/1444233&mode=nested
Reply to: