On Tue, Jun 11, 2002 at 07:20:50PM -0400, Jeff Bonner wrote: > I am certainly not in a position to say which is more secure, but this > reminded me of a flap that arose over a list of vulnerabilities posted > by platform, etc on SecurityFocus: > > http://securityfocus.com/vulns/stats.shtml
I'm not sure this data is worth much. Debian, Redhat, SuSE, et al typically ship with very similar software collections. Often the only differences in the data given above is that Redhat got unlucky and shipped when foo 1.2.3 was current, which was later found to have a hole. Debian, on the other hand, may have gotten lucky and shipped with foo 1.2.4, which incorporated the bug fix. That was the case in the big rpc.statd problem from a couple years ago. There is a lot of collaboration between the respective security teams for the major Linux distributions. As a result of this, they all tend to release necessary security updates at the same time. Known security updates are rarely, if ever, left unfixed by a distribution vendor. Knowledge of a security vulnerability is never kept from another distribution vendor. As a result of all this, the relative security of the different distributions is very similar. The one advantage that I think Debian has is that apt-get makes it so easy to keep up to date on packages. We also make a very strong effort to avoid modifying dependencies and behavior of updated packages, which makes behavior of updates very predictable. You should expect security updates from Debian to Just Work. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgpYEWLtEVJ4B.pgp
Description: PGP signature
