Hi, I wish I had numbers for you, but I don't.
I do remember we had to build our own patched ssh binaries for the last voulnerability 'cus RH didn't have 'em for a day or two. Debian had packages out withing hours of the patch being posted. Never been able to upgrade a RH box on my network (too many NFS dependencies or something), Debian has handled this. <shameless type="self-aggrandizement"> The MIT Artificial Intelligence Lab has stopped supporting RH and moved to Debian. I managed this by setting up my workstation with Debian and showing howmuch more quickly security patches are out and how much easier it is to admin (OK and writing my own custom installer so noone had to see how tedeous it can be to install with all the config questions that are going to be the same on every system we install). </shameless> The joys of apt are reason enough! Of course if Management is as technically inept as the term makes them sound, you may be SOL. I haven't seen any statistics like what you'd need (if you find them send us a link). On the other hand if they're that brain dead how would they know your new webserver was running Debian? I wouldn't recommend replacing the OS on a production server, unless you're building a replacement anyway though. -Jon
