He has data that shows there is a time lag between when a subpackage gets fixed and a distro rolls out a patch. It looks to be 30 days, on average. This matches my experience. Unless the fix is readily exploitable, the vendors take a while. What that tells me is that the distros do not have an automated system for testing the validity of their distros and cutting a patchset. They have to do it by hand. That needs to be improved.
I don't know much about the process the different vendors use, but I do have a problem with an untested patch being released. If the fix is for a readily exploitable package, you say yourself that the release time is faster. If Linux wants to be accepted in the data center, then the distros can't afford to release patches that cause more trouble than good. 30 days for testing, not bad considering how many packages may be affected if it is a library package.
Linux distros should lag behind subsystem patches by *hours*, not days. Even if Windows took 60 years, Linux should still take hours to put a patch in your hands if you want it. The goal of Linux not simply be "better than Windows"; it should be the best it can be.
Most distros have unapproved patches on their FTP sites and mirrors or CVS. You can usually get those quite quickly in the form of a source package.
This kind of knee jerk defense of things in Linux *which should be fixed* is why Linux advocates get portrayed as rabid geekoids with no ability to understand the larger picture.
If nothing else, it should give the Linux folks supreme pleasure to be able to use fabricated, FUD data and then beat the Windows guys over the head with it: "Gee you were right, we needed an automated way to roll out new fixes immediately. Now we've got one, so our average is 24 *hours*. What's yours? Oh, it's still weeks, what a shame."
Most of the software teams manage to release patches within a 24 hour window. Those patches can be applied to source builds. That may take minutes or hours. Then there is the whole QA cycle that must be done. Shoot maybe they should just do away with that part, and not test the package, since there is a published theoretical hole in the software.
--
"How long have you known me, Jack? And you still don't know how to spell my name." -- Upon receiving a check from Jack Buck made out to "bearer."
--Yogi Bera
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
