[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian security being trashed in Linux Today comments

Peter Cordes wrote:
> > Agreed, weighted mean (by severity of vulnerability and popularity of
> > package) would be better, if suitable weighting could be devised.
>  Separate graphs would be more useful to more people.  (not everybody's
> weighting would be the same as the weighting that would take a year of
> debate to not be settled anyway...)  One graph for remote exploits, one for
> local priviledge escalation, one for remote holes in Important (according to
> pkg system), etc.  Make a graph for anything someone might be interested in.
> Or even generate them on the fly with input from a set of checkboxes for which
> package to include; if someone wanted to write the code, it wouldn't be
> hard.  (assuming there's a good way to see which package falls into which
> category...  Hmm, that's probably not so easy with the data that is kept now.)
>  Anyway, the most useful thing would be multiple graphs according to a few
> interesting criteria.

Any kind of policy we create should easily applied to other distro's in
order to combat FUD like the comments that started this thread. I agree
in seperatring graphs and stats into different categories such as remote
and local vulnerabilities, and Required (as in packages that are on
virtually all systems, ie glibc, at and friends, etc.) But, we wouldn't
be distinguishing on a package basis, IMHO, since one package could be
vulnerable to a remote exploit, and also have a privledge escalation

As for weighting the severity of exploits, this would definately be
something that would need to be tailored to the individual whom seeks
such information. Maybe a selection of different package types (ie Mail
servers, web servers, ftp servers, user utils, admin utils, network
utils, development tools, base, etc..), then include in the report
whether specific packages are still vuln to known exploits, or details
on how fast specific packages where fixed after a vuln was announced.
The details would help advise as to which packages appear to be more
secure in a specific use, while statistics would show how well the
distro responds to fixes for a specific genre of packages, which would
in turn help an admin decide what distro would be best for the kind of
server he/she is creating. Maybe a package specific report would be
easier, and more accurate.

Anyone wanna flame me, add to my thoughts, or compliment me? I guess as
a side note, I shouldn't say "we" since I doubt I am really eligible to
be a major contributer to such a project... Just my two cents, anyhow.

-Will Wesley
Great way to learn about mknod...
box:~# rm -rf /dev
box:~# man mknod

Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Reply to: