Peter Cordes wrote: > > > Agreed, weighted mean (by severity of vulnerability and popularity of > > package) would be better, if suitable weighting could be devised. > > Separate graphs would be more useful to more people. (not everybody's > weighting would be the same as the weighting that would take a year of > debate to not be settled anyway...) One graph for remote exploits, one for > local priviledge escalation, one for remote holes in Important (according to > pkg system), etc. Make a graph for anything someone might be interested in. > Or even generate them on the fly with input from a set of checkboxes for which > package to include; if someone wanted to write the code, it wouldn't be > hard. (assuming there's a good way to see which package falls into which > category... Hmm, that's probably not so easy with the data that is kept now.) > > Anyway, the most useful thing would be multiple graphs according to a few > interesting criteria.
Any kind of policy we create should easily applied to other distro's in order to combat FUD like the comments that started this thread. I agree in seperatring graphs and stats into different categories such as remote and local vulnerabilities, and Required (as in packages that are on virtually all systems, ie glibc, at and friends, etc.) But, we wouldn't be distinguishing on a package basis, IMHO, since one package could be vulnerable to a remote exploit, and also have a privledge escalation vuln. As for weighting the severity of exploits, this would definately be something that would need to be tailored to the individual whom seeks such information. Maybe a selection of different package types (ie Mail servers, web servers, ftp servers, user utils, admin utils, network utils, development tools, base, etc..), then include in the report whether specific packages are still vuln to known exploits, or details on how fast specific packages where fixed after a vuln was announced. The details would help advise as to which packages appear to be more secure in a specific use, while statistics would show how well the distro responds to fixes for a specific genre of packages, which would in turn help an admin decide what distro would be best for the kind of server he/she is creating. Maybe a package specific report would be easier, and more accurate. Anyone wanna flame me, add to my thoughts, or compliment me? I guess as a side note, I shouldn't say "we" since I doubt I am really eligible to be a major contributer to such a project... Just my two cents, anyhow. -Will Wesley Great way to learn about mknod... box:~# rm -rf /dev box:~# man mknod _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com