[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security Stats

On Wed, Jul 24, 2002 at 08:03:44PM -0400, Phillip Hofmeister wrote:
> All,
> I am doing a college Honor's project on different distributions.  Data on
> Debian and it's security fixes would be helpful if it is available.  I would
> be looking for anythings useful in particular, the following:
> How many security fixes each quarter for the past 2 or 3 quearters.
> How many packages have been supported during said time^
> Mean time until security update.
> If this information is available it would be VERY useful

	I did such an study a while back (search the archives) for the
year 2001. It should be referenced from the "Securing Debian Manual" too
also (if you do not want to find the link yourself).

	In order to help make this kind of studies, the new DSAs published
on the website, and the metadata used to generate them, includes links to
vulnerability databases (CERT, Bugtraq and CVE). You could easily donwload
the WML sources of the web server (from the CVS) or use the HTML pages to
determine the time that it takes for Debian to fix vulnerabilities (since
you can parse the other databases for the reported time).

	I haven't gotten around to program it myself (but its on my TODO),
in any case, I have updated from time to time some published
vulnerabilities with links to CERT, Bugtraq and CVE that might not be
available at the time the DSA is published (otherwise the Security Team
does it already). Also, updates on the published information would be
appreciated them (please send tables, diffs, or whatever to

	Any developments to automate this would be appreciated (since the
study I did a while back was automated :) Also, I, for one, would
appreciate reading the Honor's project.

	OTOH, from what I've seen of other distributions is quite
difficult to retrieve this information (i.e. it's not yet in a way it can
be extracted easily, if at all) and you might need to rely exclusively on
the "vendor" information available in public databases.



To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: