"Karsten M. Self" wrote: > > on Fri, Nov 23, 2001 at 04:59:12PM -0800, Petro ([EMAIL PROTECTED]) wrote: > > On Thu, Nov 22, 2001 at 09:40:37PM -0800, Karsten M. Self wrote: > > > on Thu, Nov 22, 2001 at 02:12:17AM -0800, Petro ([EMAIL PROTECTED]) > > > wrote: > > > > > Bruce Schneier identifies four periods of concern for security > > > > > issues: > > > > > 1. Introduction of vulnerability. It exists, but is unknown. > > > > > 2. Awareness. It is known, but not necessarially patched. > > > > > 3. Introduction of fix. A software patch is available. > > > > > 4. Application of fix. Software patch is widely applied. > > > > > > > > Number 4 is wishful thinking. > > > > > > It's a numbers game. Debian makes accomplishing # 4 far easier than any > > > other system I'm familiar with. > > > > The problem is the space between 3 and 4. Mr. Schneier left out a > > step: > > 3.5 Broadcasting of fix availablility. > > Which again Debian speaks to with the apt process. *If* you're updating > your systems regularly, you're being informed of the updates (or your > system is), and they're being updated.
And if not, you *do* subscribe to the security-announce list, don't you? Actually, I don't know how the Debian project could be faulted for 3.5 or 4. How well they do 3, well, how can you really verify that? I guess you'd have to follow the upstream projects and see if patches made it down into the packages.
