Re: Misc topics (was Re: ISP asking about switching to Debian from OpenBSD)

["Keith G. Murphy" <keithmur@mindspring.com>]

"Karsten M. Self" wrote:
> 
> on Fri, Nov 23, 2001 at 04:59:12PM -0800, Petro (petro@auctionwatch.com) wrote:
> > On Thu, Nov 22, 2001 at 09:40:37PM -0800, Karsten M. Self wrote:
> > > on Thu, Nov 22, 2001 at 02:12:17AM -0800, Petro (petro@auctionwatch.com)
> > > wrote: 
> > > > >     Bruce Schneier identifies four periods of concern for security
> > > > >     issues:
> > > > >      1.  Introduction of vulnerability.  It exists, but is unknown.
> > > > >      2.  Awareness.  It is known, but not necessarially patched.
> > > > >      3.  Introduction of fix.  A software patch is available.
> > > > >      4.  Application of fix.  Software patch is widely applied.
> > > >
> > > >     Number 4 is wishful thinking.
> > >
> > > It's a numbers game.  Debian makes accomplishing # 4 far easier than any
> > > other system I'm familiar with.
> >
> >     The problem is the space between 3 and 4. Mr. Schneier left out a
> >     step:
> >         3.5 Broadcasting of fix availablility.
> 
> Which again Debian speaks to with the apt process.  *If* you're updating
> your systems regularly, you're being informed of the updates (or your
> system is), and they're being updated.

And if not, you *do* subscribe to the security-announce list, don't you?

Actually, I don't know how the Debian project could be faulted for 3.5
or 4.

How well they do 3, well, how can you really verify that?  I guess you'd
have to follow the upstream projects and see if patches made it down
into the packages.