[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian security being trashed in Linux Today comments

On Wed, 2002-01-16 at 01:07, Javier Fernández-Sanguino Peña wrote:

> 	Already did it yesterday (except for th column with the data).
> See
> http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3

Please consider removing any reference to the average amount of time in
the FAQ:

"...it took the Debian Security Team an average of 35 days to fix
security-related vulnerabilites."

An average based upon a very long tail is highly misleading. Please
quote the median time to fix a vulnerability instead. This will will be
less than or equal to 10 days given this statistic:

"over 50% of the vulnerabilities where fixed in a 10-days time"

Because of this research it looks like Debian's security information
page will have to be changed:

http://www.debian.org/security/

"Debian takes security very seriously. Most security problems brought to
our attention are corrected within 48 hours."

That's just not an honest description of what's occurred. It appears
from the research that most (i.e. > 50%) of security problems are
corrected within 10 days, not 48 hours.

I still need to be able to download that spreadsheet. I have viewed the
PNG picture.

Regards,
Adam
Reply to: