Re: Misc topics (was Re: ISP asking about switching to Debian from OpenBSD)
"Karsten M. Self" wrote:
>
> on Fri, Nov 23, 2001 at 04:59:12PM -0800, Petro (petro@auctionwatch.com) wrote:
> > On Thu, Nov 22, 2001 at 09:40:37PM -0800, Karsten M. Self wrote:
> > > on Thu, Nov 22, 2001 at 02:12:17AM -0800, Petro (petro@auctionwatch.com)
> > > wrote:
> > > > > Bruce Schneier identifies four periods of concern for security
> > > > > issues:
> > > > > 1. Introduction of vulnerability. It exists, but is unknown.
> > > > > 2. Awareness. It is known, but not necessarially patched.
> > > > > 3. Introduction of fix. A software patch is available.
> > > > > 4. Application of fix. Software patch is widely applied.
> > > >
> > > > Number 4 is wishful thinking.
> > >
> > > It's a numbers game. Debian makes accomplishing # 4 far easier than any
> > > other system I'm familiar with.
> >
> > The problem is the space between 3 and 4. Mr. Schneier left out a
> > step:
> > 3.5 Broadcasting of fix availablility.
>
> Which again Debian speaks to with the apt process. *If* you're updating
> your systems regularly, you're being informed of the updates (or your
> system is), and they're being updated.
And if not, you *do* subscribe to the security-announce list, don't you?
Actually, I don't know how the Debian project could be faulted for 3.5
or 4.
How well they do 3, well, how can you really verify that? I guess you'd
have to follow the upstream projects and see if patches made it down
into the packages.
Reply to: