On Sat, Nov 19, 2005 at 03:46:23PM +0000, MJ Ray wrote: > I think the statistic is questionable, so there should be > verification/substantiation of the statistic, but I don't know > whether it's right or wrong. I think it's prejudging things to > delete the first paragraph as suggested.
I don't know what that data comes from, but I did produce some statistics a while back: http://www.debian.org/News/2004/20040406 http://lists.debian.org/debian-security/2001/12/msg00257.html I guess that whomever disagrees with the current claim should produce hard evidence against it. It is not that difficult to craft, just take the CVE database, other vendor's advisories, Bugtraq and our list of DSAs, put it in the same database and generate a report of "time to fix" in Debian for the woody/sarge releases. Regards Javier PS: Contact me through private e-mail if anybody wants some of the scripts I used for the statistics above. BTW, some of the data is available at http://people.debian.org/~jfs/debconf/security/data/, but not the scripts.
signature.asc
Description: Digital signature
