Peter Cordes wrote:
>
> > Agreed, weighted mean (by severity of vulnerability and popularity of
> > package) would be better, if suitable weighting could be devised.
>
> Separate graphs would be more useful to more people. (not everybody's
> weighting would be the same as the weighting that wou
Peter Cordes wrote:
>
> > Agreed, weighted mean (by severity of vulnerability and popularity of
> > package) would be better, if suitable weighting could be devised.
>
> Separate graphs would be more useful to more people. (not everybody's
> weighting would be the same as the weighting that wo
Right. It should be "A report published...".
Fixed. Thanks
Javi
Right. It should be "A report published...".
Fixed. Thanks
Javi
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Tuesday, 2002-01-15 at 13:07:12 +0100, Javier Fernández-Sanguino Peña wrote:
> On Tue, Jan 15, 2002 at 09:23:20AM +0100, Lupe Christoph wrote:
> > I still think a table and graph would be a god addition to the security
> > FAQ, as an answer to the question "How long does Debian take to
> > fix
On Tue, Jan 15, 2002 at 02:34:47PM +, Colin Phipps wrote:
> On Tue, Jan 15, 2002 at 02:04:38PM +, Tim Haynes wrote:
> > Colin Phipps <[EMAIL PROTECTED]> writes:
> > > It is not misleading in this case, the tail is the _most_ important part
> > > of the data. It doesn't matter if we patch ev
On Tuesday, 2002-01-15 at 13:07:12 +0100, Javier Fernández-Sanguino Peña wrote:
> On Tue, Jan 15, 2002 at 09:23:20AM +0100, Lupe Christoph wrote:
> > I still think a table and graph would be a god addition to the security
> > FAQ, as an answer to the question "How long does Debian take to
> > fix
On Tue, Jan 15, 2002 at 02:34:47PM +, Colin Phipps wrote:
> On Tue, Jan 15, 2002 at 02:04:38PM +, Tim Haynes wrote:
> > Colin Phipps <[EMAIL PROTECTED]> writes:
> > > It is not misleading in this case, the tail is the _most_ important part
> > > of the data. It doesn't matter if we patch e
On Tue, Jan 15, 2002 at 02:04:38PM +, Tim Haynes wrote:
> Colin Phipps <[EMAIL PROTECTED]> writes:
> > It is not misleading in this case, the tail is the _most_ important part
> > of the data. It doesn't matter if we patch every other hole in 10 minutes
> > if we leave one open for months.
>
>
On Tue, Jan 15, 2002 at 01:52:47PM +, Colin Phipps wrote:
> [...]
> Furthermore I think the mean is exactly the right measure of this: from
> the user point of view, the important figure is total exposure time,
> i.e. sum of time between vulnerability discovery and patch (for
> installed packag
Colin Phipps <[EMAIL PROTECTED]> writes:
> On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote:
> > "...it took the Debian Security Team an average of 35 days to fix
>> security-related vulnerabilites."
>>
>> An average based upon a very long tail is highly misleading. Please
>> quote the
Previously Colin Phipps wrote:
> It is not misleading in this case, the tail is the _most_ important part
> of the data. It doesn't matter if we patch every other hole in 10
> minutes if we leave one open for months.
Both are interesting though.
Wichert.
--
__
On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote:
> "...it took the Debian Security Team an average of 35 days to fix
> security-related vulnerabilites."
>
> An average based upon a very long tail is highly misleading. Please
> quote the median time to fix a vulnerability instead.
It i
hi ya wichert
true... i probably should have been clearer...
that i'm on the way end of the bugtraq list...
keep up the good work "all" ...
have fun
alvin
http://www.Linux-Sec.net ... hardening howtos ...
On Tue, 15 Jan 2002, Wichert Akkerman wrote:
> Previously Alvin Oga wrote:
> > i did an
Previously Alvin Oga wrote:
> i did an dist-upgrade&& update&& upgrade today... and saw sudo get update
> before fixes to sudo was posted to bugtraq
Actually it was posted to bugtraq about 15 minutes before but you only
saw it later due to moderation :)
Wichert.
--
__
hi ya
i did an dist-upgrade&& update&& upgrade today... and saw sudo get update
before fixes to sudo was posted to bugtraq
c ya
alvin
On 15 Jan 2002, Adam Warner wrote:
> On Tue, 2002-01-15 at 09:44, Florian Weimer wrote:
> > Adam Warner <[EMAIL PROTECTED]> writes:
> >
> > > http://www.linux
On Wed, 2002-01-16 at 01:07, Javier Fernández-Sanguino Peña wrote:
> Already did it yesterday (except for th column with the data).
> See
> http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3
Please consider removing any reference to the average amount of time in
the
On Tue, Jan 15, 2002 at 02:04:38PM +, Tim Haynes wrote:
> Colin Phipps <[EMAIL PROTECTED]> writes:
> > It is not misleading in this case, the tail is the _most_ important part
> > of the data. It doesn't matter if we patch every other hole in 10 minutes
> > if we leave one open for months.
>
On Tue, Jan 15, 2002 at 09:23:20AM +0100, Lupe Christoph wrote:
> On Monday, 2002-01-14 at 23:20:21 -0400, Peter Cordes wrote:
> > On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:
>
> > I recompressed it as a real PNG, and attached it to this mail, for your
> > viewing pleasure :
On Tue, Jan 15, 2002 at 01:52:47PM +, Colin Phipps wrote:
> [...]
> Furthermore I think the mean is exactly the right measure of this: from
> the user point of view, the important figure is total exposure time,
> i.e. sum of time between vulnerability discovery and patch (for
> installed packa
Colin Phipps <[EMAIL PROTECTED]> writes:
> On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote:
> > "...it took the Debian Security Team an average of 35 days to fix
>> security-related vulnerabilites."
>>
>> An average based upon a very long tail is highly misleading. Please
>> quote th
Previously Colin Phipps wrote:
> It is not misleading in this case, the tail is the _most_ important part
> of the data. It doesn't matter if we patch every other hole in 10
> minutes if we leave one open for months.
Both are interesting though.
Wichert.
--
_
On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote:
> "...it took the Debian Security Team an average of 35 days to fix
> security-related vulnerabilites."
>
> An average based upon a very long tail is highly misleading. Please
> quote the median time to fix a vulnerability instead.
It
On Mon, Jan 14, 2002 at 09:53:15AM -0500, Noah L. Meyerhans wrote:
> On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
> > So perhaps Debian security is only as good as the package maintainers?
> > I'm sure most maintainers do care and do investigate bugs I probably
> > just had a bad
hi ya wichert
true... i probably should have been clearer...
that i'm on the way end of the bugtraq list...
keep up the good work "all" ...
have fun
alvin
http://www.Linux-Sec.net ... hardening howtos ...
On Tue, 15 Jan 2002, Wichert Akkerman wrote:
> Previously Alvin Oga wrote:
> > i did a
Previously Alvin Oga wrote:
> i did an dist-upgrade&& update&& upgrade today... and saw sudo get update
> before fixes to sudo was posted to bugtraq
Actually it was posted to bugtraq about 15 minutes before but you only
saw it later due to moderation :)
Wichert.
--
_
hi ya
i did an dist-upgrade&& update&& upgrade today... and saw sudo get update
before fixes to sudo was posted to bugtraq
c ya
alvin
On 15 Jan 2002, Adam Warner wrote:
> On Tue, 2002-01-15 at 09:44, Florian Weimer wrote:
> > Adam Warner <[EMAIL PROTECTED]> writes:
> >
> > > http://www.linu
On Wed, 2002-01-16 at 01:07, Javier Fernández-Sanguino Peña wrote:
> Already did it yesterday (except for th column with the data).
> See
> http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3
Please consider removing any reference to the average amount of time in
the
On Tue, 2002-01-15 at 09:44, Florian Weimer wrote:
> Adam Warner <[EMAIL PROTECTED]> writes:
>
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> >
> > Someone with better knowledge of all the facts might want to comment on
> > the claim that "Debian is always the last t
On Tue, Jan 15, 2002 at 09:23:20AM +0100, Lupe Christoph wrote:
> On Monday, 2002-01-14 at 23:20:21 -0400, Peter Cordes wrote:
> > On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:
>
> > I recompressed it as a real PNG, and attached it to this mail, for your
> > viewing pleasure
On Mon, Jan 14, 2002 at 09:53:15AM -0500, Noah L. Meyerhans wrote:
> On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
> > So perhaps Debian security is only as good as the package maintainers?
> > I'm sure most maintainers do care and do investigate bugs I probably
> > just had a bad
On Monday, 2002-01-14 at 23:20:21 -0400, Peter Cordes wrote:
> On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:
> I recompressed it as a real PNG, and attached it to this mail, for your
> viewing pleasure :) PNG gets 3.5 times better compression, probably because
> this image on
On Tue, 2002-01-15 at 09:44, Florian Weimer wrote:
> Adam Warner <[EMAIL PROTECTED]> writes:
>
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> >
> > Someone with better knowledge of all the facts might want to comment on
> > the claim that "Debian is always the last
On Monday, 2002-01-14 at 23:20:21 -0400, Peter Cordes wrote:
> On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:
> I recompressed it as a real PNG, and attached it to this mail, for your
> viewing pleasure :) PNG gets 3.5 times better compression, probably because
> this image o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Peter Cordes <[EMAIL PROTECTED]> writes:
> [...] To get testing better tested (by providing the service more
> people need to run it), and to get the security team familiar with
> the soon-to-be-stable release, there could be a mechanism for
> securi
On Mon, Jan 14, 2002 at 12:17:15PM -0700, John Galt wrote:
>
> Okay, this has gone far enough. The reason that s.d.o only deals with
> stable is that stable is the only part of Debian that by it's nature
> cannot change. For unstable (and now testing) if there's a security bug,
> any DD can p
On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:
> It renders fine in IE. :)
Yeah, but it has the binary crap at the end. It renders like that in moz
too. (both running on the family 'doze PC while I type this mail through
PuTTY.)
>
> The binary data is, I presume, the two f
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Peter Cordes <[EMAIL PROTECTED]> writes:
> [...] To get testing better tested (by providing the service more
> people need to run it), and to get the security team familiar with
> the soon-to-be-stable release, there could be a mechanism for
> secur
On Mon, Jan 14, 2002 at 12:17:15PM -0700, John Galt wrote:
>
> Okay, this has gone far enough. The reason that s.d.o only deals with
> stable is that stable is the only part of Debian that by it's nature
> cannot change. For unstable (and now testing) if there's a security bug,
> any DD can
On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:
> It renders fine in IE. :)
Yeah, but it has the binary crap at the end. It renders like that in moz
too. (both running on the family 'doze PC while I type this mail through
PuTTY.)
>
> The binary data is, I presume, the two
On Tue, 2002-01-15 at 01:41, Daniel Polombo wrote:
> Adam Warner wrote:
>
> > On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
>
> >>Some of us wouldn't dare say such things without at least reviewing the
> >>given distro's security policy, FAQ and history.
>
> > But I was really impressed that up
On Mon, Jan 14, 2002 at 07:19:29PM +0100, Javier Fernández-Sanguino Peña wrote:
> > I hope you provide a cleaned-up version. .../msg00257.html is full
> > of binary crap. And the link .../bin0.bin could be stored
> > as the PNG file it is supposed to be. The way it is now, I get
> > a MIME-type
On Tue, 2002-01-15 at 01:41, Daniel Polombo wrote:
> Adam Warner wrote:
>
> > On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
>
> >>Some of us wouldn't dare say such things without at least reviewing the
> >>given distro's security policy, FAQ and history.
>
> > But I was really impressed that u
Adam Warner <[EMAIL PROTECTED]> writes:
> http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
>
> Someone with better knowledge of all the facts might want to comment on
> the claim that "Debian is always the last to fix security holes" and the
> tag team follow up "I've been f
On Mon, Jan 14, 2002 at 07:19:29PM +0100, Javier Fernández-Sanguino Peña wrote:
> > I hope you provide a cleaned-up version. .../msg00257.html is full
> > of binary crap. And the link .../bin0.bin could be stored
> > as the PNG file it is supposed to be. The way it is now, I get
> > a MIME-typ
Okay, this has gone far enough. The reason that s.d.o only deals with
stable is that stable is the only part of Debian that by it's nature
cannot change. For unstable (and now testing) if there's a security bug,
any DD can put up a NMU if it's severe enough, or the regular maintainer
can fix
On Mon, 14 Jan 2002, Daniel Polombo wrote:
> Adam Warner wrote:
> Well, maybe you should follow Tim's advice and go check the security team's
> FAQ :
>
>Q: How is security handled for testing and unstable?
>
>A: The short answer is: it's not. Testing and unstable are rapidly moving
>
Adam Warner <[EMAIL PROTECTED]> writes:
> http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
>
> Someone with better knowledge of all the facts might want to comment on
> the claim that "Debian is always the last to fix security holes" and the
> tag team follow up "I've been
urity being trashed in Linux Today comments
On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña
wrote:
> On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
> > Previously Adam Warner wrote:
> > > Someone with better knowledge of all the facts might
On Mon, Jan 14, 2002 at 06:16:46PM +0100, Lupe Christoph wrote:
>
> I hope you provide a cleaned-up version. .../msg00257.html is full
> of binary crap. And the link .../bin0.bin could be stored
> as the PNG file it is supposed to be. The way it is now, I get
> a MIME-type of application/octet
On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña wrote:
> On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
> > Previously Adam Warner wrote:
> > > Someone with better knowledge of all the facts might want to comment on
> > > the claim that "Debian is always t
Okay, this has gone far enough. The reason that s.d.o only deals with
stable is that stable is the only part of Debian that by it's nature
cannot change. For unstable (and now testing) if there's a security bug,
any DD can put up a NMU if it's severe enough, or the regular maintainer
can fi
On Mon, 14 Jan 2002, Daniel Polombo wrote:
> Adam Warner wrote:
> Well, maybe you should follow Tim's advice and go check the security team's
> FAQ :
>
>Q: How is security handled for testing and unstable?
>
>A: The short answer is: it's not. Testing and unstable are rapidly moving
>
h the previous data
j.
--
Jeremy L. Gaddis <[EMAIL PROTECTED]>
-Original Message-
From: Lupe Christoph [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 14, 2002 12:17 PM
To: Javier Fernández-Sanguino Peña
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Debian security being
On Mon, Jan 14, 2002 at 06:16:46PM +0100, Lupe Christoph wrote:
>
> I hope you provide a cleaned-up version. .../msg00257.html is full
> of binary crap. And the link .../bin0.bin could be stored
> as the PNG file it is supposed to be. The way it is now, I get
> a MIME-type of application/octe
On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña wrote:
> On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
> > Previously Adam Warner wrote:
> > > Someone with better knowledge of all the facts might want to comment on
> > > the claim that "Debian is always
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:
> On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
> > So perhaps Debian security is only as good as the package maintainers?
>> I'm sure most maintainers do care and do investigate bugs I probably
>> just had a bad experience.
>
> That
On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
> So perhaps Debian security is only as good as the package maintainers?
> I'm sure most maintainers do care and do investigate bugs I probably
> just had a bad experience.
That is the case in unstable and testing, but not stable. Tha
On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
> Previously Adam Warner wrote:
> > Someone with better knowledge of all the facts might want to comment on
> > the claim that "Debian is always the last to fix security holes" and the
> > tag team follow up "I've been fighting for m
On Mon, Jan 14, 2002 at 12:05:34PM +, Tim Haynes wrote:
> Adam Warner <[EMAIL PROTECTED]> writes:
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> >
> > Someone with better knowledge of all the facts might want to comment
> > on the claim that "Debian is always the l
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:
> On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
> > So perhaps Debian security is only as good as the package maintainers?
>> I'm sure most maintainers do care and do investigate bugs I probably
>> just had a bad experience.
>
> Tha
On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
> So perhaps Debian security is only as good as the package maintainers?
> I'm sure most maintainers do care and do investigate bugs I probably
> just had a bad experience.
That is the case in unstable and testing, but not stable. Th
Adam Warner wrote:
On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
Some of us wouldn't dare say such things without at least reviewing the
given distro's security policy, FAQ and history.
But I was really impressed that updates for unstable/testing were
released at the same time. For those
On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
> Adam Warner <[EMAIL PROTECTED]> writes:
>
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> >
> > Someone with better knowledge of all the facts might want to comment on
> > the claim that "Debian is always the last to fix
Previously Adam Warner wrote:
> Someone with better knowledge of all the facts might want to comment on
> the claim that "Debian is always the last to fix security holes" and the
> tag team follow up "I've been fighting for months now to try to convince
> them to release an advisory or fix for ftpd
On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
> Previously Adam Warner wrote:
> > Someone with better knowledge of all the facts might want to comment on
> > the claim that "Debian is always the last to fix security holes" and the
> > tag team follow up "I've been fighting for
Adam Warner <[EMAIL PROTECTED]> writes:
> http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
>
> Someone with better knowledge of all the facts might want to comment on
> the claim that "Debian is always the last to fix security holes" and the
> tag team follow up "I've been fi
http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
Someone with better knowledge of all the facts might want to comment on
the claim that "Debian is always the last to fix security holes" and the
tag team follow up "I've been fighting for months now to try to convince
them to r
On Mon, Jan 14, 2002 at 12:05:34PM +, Tim Haynes wrote:
> Adam Warner <[EMAIL PROTECTED]> writes:
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> >
> > Someone with better knowledge of all the facts might want to comment
> > on the claim that "Debian is always the
Adam Warner wrote:
> On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
>>Some of us wouldn't dare say such things without at least reviewing the
>>given distro's security policy, FAQ and history.
> But I was really impressed that updates for unstable/testing were
> released at the same time. For t
On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
> Adam Warner <[EMAIL PROTECTED]> writes:
>
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> >
> > Someone with better knowledge of all the facts might want to comment on
> > the claim that "Debian is always the last to fi
Previously Adam Warner wrote:
> Someone with better knowledge of all the facts might want to comment on
> the claim that "Debian is always the last to fix security holes" and the
> tag team follow up "I've been fighting for months now to try to convince
> them to release an advisory or fix for ftp
Adam Warner <[EMAIL PROTECTED]> writes:
> http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
>
> Someone with better knowledge of all the facts might want to comment on
> the claim that "Debian is always the last to fix security holes" and the
> tag team follow up "I've been f
http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
Someone with better knowledge of all the facts might want to comment on
the claim that "Debian is always the last to fix security holes" and the
tag team follow up "I've been fighting for months now to try to convince
them to
74 matches
Mail list logo
