On Thu, Jan 17, 2002 at 08:40:38PM +0100, Florian Weimer wrote: > > I don't know what calendar the LWN editorial staff uses, but where I > > live, the duration from December 14th to January 13th (the day the > > Debian security advisory was released), more closely resembles one month > > than two. (I would agree that falling behind even Red Hat is pretty > > damning in the public eye, though.) > > The vulnerability was know before 2001-11-29 (IIRC); that day, the fix > was committed to the public GNU libc CVS at anoncvs.cygnus.com > (nowadays Red Hat). > > > Perhaps your point would be better taken if your arithmetic were more > > accurate? > > I don't know when Debian was notified of the problem, but it was > probably before 2001-12-14. If LWN is using Red Hat as the yardstick with which to excoriate Debian for the untimeliness of its security updates, then 2001-12-14 is the date in question. It would be a very different situation if LWN has said, "well, Red Hat was the best of a bad lot; it took them 2 weeks to get out a security fix, whereas Debian took six." I *still* don't know where this "2 months" figure is coming from. Maybe there was someone who knew about glibc's security vulnerability on November 13th, but carry anything like this back far enough and you eventually have an unfalsifiable hypothesis. It seems to make sense to start the clock running when the first vendor releases a security fix. That said, Red Hat has been known to jump the gun on attempts at coordinated releases across the various Linux and *BSD vendors. They always claim it's an honest mistake. So perhaps starting the clock running at the first released advisory isn't such a good metric either, because in such a case it's not the other vendors' fault that they're "late" -- one of their partners defected from the agreement. Alternatively, we could conceptualize good security in terms more complex than "penis war". Imagine that. -- G. Branden Robinson | If God had intended for man to go Debian GNU/Linux | about naked, we would have been branden@debian.org | born that way. http://people.debian.org/~branden/ |
Attachment:
pgpxRDdwMafUs.pgp
Description: PGP signature