RE: Quality of security assurance with Debian vs. RedHat vs. SuSE

To: <debian-security@lists.debian.org>
Subject: RE: Quality of security assurance with Debian vs. RedHat vs. SuSE
From: "Howland, Curtis" <howlandc@kvh.co.jp>
Date: Wed, 12 Jun 2002 11:58:56 +0900
Message-id: <[🔎] FBBD2DD3FF1ECA42817E762126D2FB0E05CB04@jpkvhms2.tel.kvh.co.jp>

> On Tue 11 Jun 2002 19:54, Noah L. Meyerhans wrote:
> > There is a lot of collaboration between the respective security
> > teams for the major Linux distributions.  As a result of this,
> > they all tend to release necessary security updates at the same
> > time.  Known security updates are rarely, if ever, left unfixed
> > by a distribution vendor.  Knowledge of a security vulnerability
> > is never kept from another distribution vendor.  As a result of
> > all this, the relative security of the different distributions
> > is very similar.

> From: Jeff Bonner [mailto:jeff@integralogic.com]
> Well put.  From my understanding of how things work, I assumed as
> much, but I wasn't confident enough to write that all out.  ;)

They (we?) all use many of the same primary sources. The Kernel, Bind, Apache, OpenSSH, Xfree, gcc, zlib, etc. When a fix to a primary source is made by the people who write that source, the distributions major work is testing, then to package it and make it available to the user base. On second thought, RedHat does do some special customization of gcc, or so I've heard...

This is very granular. There is no reason for a distributor not to include a fix, and the wide variety of testing from multiple different distributors gives great feedback to the primary sources. I wouldn't be surprised to learn that there are lots of "oops" style bugs discovered, fed back and fixed, long before the "public" sees an updated package in any of the distributions.

This is the Bazaar. RedHat packagers have a different set of preconceptions and assumptions from Debian packagers, and from Slackware packagers, et al.

There is also no embarrassment. There may be a self-preservation reflex in a closed-source producer to deny a fault and slow a fix, because it's "their own fault". Linux distributors are lauded when they release a fix quickly.

> > The one advantage that I think Debian has is that apt-get makes it
> > so easy to keep up to date on packages.

> I couldn't have said it better myself.  Apt is the number one reason
> I went with Debian:  ease of updates.

My number one reason was the collaborative nature of the Debian effort. Debian was the first Linux I installed, from floppies, in 1986. When I later discovered how "broken" package management in other distributions is compared to Debian, it was like sneaking a peek out through the gate of the Garden of Eden. There may be some installation snakes, but the desert outside is far harder to survive in.

Curt-

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Quality of security assurance with Debian vs. RedHat vs. SuSE
  - From: Brad B <ion@qwest.net>
- Re: Quality of security assurance with Debian vs. RedHat vs. SuSE
  - From: Jean Christophe ANDRÃ? <jean-christophe.andre@auf.org>

Prev by Date: RE: Quality of security assurance with Debian vs. RedHat vs. SuSE
Next by Date: Re: Quality of security assurance with Debian vs. RedHat vs. SuSE
Previous by thread: Re: Quality of security assurance with Debian vs. RedHat vs. SuSE
Next by thread: Re: Quality of security assurance with Debian vs. RedHat vs. SuSE
Index(es):
- Date
- Thread