On Tue, Jan 15, 2002 at 01:52:47PM +0000, Colin Phipps wrote: > [...] > Furthermore I think the mean is exactly the right measure of this: from > the user point of view, the important figure is total exposure time, > i.e. sum of time between vulnerability discovery and patch (for > installed packages) for all vulns. For someone who installs every Debian > package, this is equal to (# of vulnerabilities)x(mean time to patch). > The former measures how well packages are audited in advance, the latter > measures how quickly vulnerabilities are corrected. It's the right > statistic. Are there any stats available on the number of people who have each package installed? (I think not, but better ask). If such stats were available, then security flaws in "popular" packages could be weighted higher than flaws in the "not-so-popular" packages. <tangent>Such numbers may also be useful for guestimating the "impact" of non-security related bugs... I feel a debian package coming along... (mutters as he walk off into the sunset)</tangent> > -- > Colin Phipps PGP 0x689E463E http://www.netcraft.com/ -- Karl E. Jørgensen karl@jorgensen.com www.karl.jorgensen.com "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Attachment:
pgpFdedD5OE9V.pgp
Description: PGP signature