[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian security being trashed in Linux Today comments

Colin Phipps <cph@netcraft.com> writes:

> On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote:
> > "...it took the Debian Security Team an average of 35 days to fix
>> security-related vulnerabilites."
>> An average based upon a very long tail is highly misleading. Please
>> quote the median time to fix a vulnerability instead.
> It is not misleading in this case, the tail is the _most_ important part
> of the data. It doesn't matter if we patch every other hole in 10 minutes
> if we leave one open for months.

Yes it does, if that remaining hole is merely a local non-root potential
vulnerability with no known exploit that's a PITA to fix - you *must*
weight the average accordingly.

Much as I hate stats, I can see that what you want to measure is how much
lethargy there is in Debian, which means excluding other influences, and
instead of wondering about means modes and medians, you've got to weight
the whole thing. Bah, complicated.


Reply to: