[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian security being trashed in Linux Today comments

On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote:
> "...it took the Debian Security Team an average of 35 days to fix
> security-related vulnerabilites."
> An average based upon a very long tail is highly misleading. Please
> quote the median time to fix a vulnerability instead.

It is not misleading in this case, the tail is the _most_ important part
of the data.  It doesn't matter if we patch every other hole in 10
minutes if we leave one open for months.

Furthermore I think the mean is exactly the right measure of this: from
the user point of view, the important figure is total exposure time,
i.e. sum of time between vulnerability discovery and patch (for
installed packages) for all vulns. For someone who installs every Debian
package, this is equal to (# of vulnerabilities)x(mean time to patch).
The former measures how well packages are audited in advance, the latter
measures how quickly vulnerabilities are corrected. It's the right

Colin Phipps         PGP 0x689E463E     http://www.netcraft.com/

Reply to: