Re: Debian security being trashed in Linux Today comments

[Peter Cordes <peter@llama.nslug.ns.ca>]

On Tue, Jan 15, 2002 at 02:34:47PM +0000, Colin Phipps wrote:
> On Tue, Jan 15, 2002 at 02:04:38PM +0000, Tim Haynes wrote:
> > Colin Phipps <cph@netcraft.com> writes:
> > > It is not misleading in this case, the tail is the _most_ important part
> > > of the data. It doesn't matter if we patch every other hole in 10 minutes
> > > if we leave one open for months.
> > 
> > Yes it does, if that remaining hole is merely a local non-root potential
> > vulnerability with no known exploit that's a PITA to fix - you *must*
> > weight the average accordingly.
> 
> Agreed, weighted mean (by severity of vulnerability and popularity of
> package) would be better, if suitable weighting could be devised.

 Separate graphs would be more useful to more people.  (not everybody's
weighting would be the same as the weighting that would take a year of
debate to not be settled anyway...)  One graph for remote exploits, one for
local priviledge escalation, one for remote holes in Important (according to
pkg system), etc.  Make a graph for anything someone might be interested in.
Or even generate them on the fly with input from a set of checkboxes for which
package to include; if someone wanted to write the code, it wouldn't be
hard.  (assuming there's a good way to see which package falls into which
category...  Hmm, that's probably not so easy with the data that is kept now.)

 Anyway, the most useful thing would be multiple graphs according to a few
interesting criteria.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE