[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian security being trashed in Linux Today comments

On Tue, Jan 15, 2002 at 01:52:47PM +0000, Colin Phipps wrote:
> [...]
> Furthermore I think the mean is exactly the right measure of this: from
> the user point of view, the important figure is total exposure time,
> i.e. sum of time between vulnerability discovery and patch (for
> installed packages) for all vulns. For someone who installs every Debian
> package, this is equal to (# of vulnerabilities)x(mean time to patch).
> The former measures how well packages are audited in advance, the latter
> measures how quickly vulnerabilities are corrected. It's the right
> statistic.

Are there any stats available on the number of people who have each
package installed? (I think not, but better ask).

If such stats were available, then security flaws in "popular" packages
could be weighted higher than flaws in the "not-so-popular" packages.

<tangent>Such numbers may also be useful for guestimating the "impact"
of non-security related bugs... I feel a debian package coming
along... (mutters as he walk off into the sunset)</tangent>

> -- 
> Colin Phipps         PGP 0x689E463E     http://www.netcraft.com/

Karl E. Jørgensen
"One disk to rule them all, One disk to find them. One disk to bring
 them all and in the darkness grind them. In the Land of Redmond
 where the shadows lie." -- The Silicon Valley Tarot
          Henrique Holschuh

Attachment: pgpFdedD5OE9V.pgp
Description: PGP signature

Reply to: