On Tue, Feb 22, 2011 at 21:18, Randal L. Schwartz <[email protected]> wrote: >>>>>> "Daniel" == Daniel Pittman <[email protected]> writes: > > Daniel> Last time I counted the CVE stuff showed that Win32 and Linux were > Daniel> about even in terms of vulnerabilities, at least, and that you were > Daniel> much more at risk if you used something outside the big three distros, > Daniel> or Win32. > > You typed "more" where I think you meant "less".
No, I meant more: smaller distributions had known vulnerabilities for longer than either Win32 or the RedHat/SuSE/Debian (and immediate derivatives; Ubuntu was small enough at the time not to factor) set, which meant they were more likely to get bitten. > Linux holes are far more useful to exploit than say, FreeBSD holes, > simply because there's far more Linux out there. I gathered far less data on this, although my recollection is that the *BSD group were generally about as risky in the "real world" – once applications were installed from ports – as Linux was. Their base system was usually much smaller, so had less holes, but it didn't help the overall state. […] > See OpenBSD's completely sane claim of having had only two (three?) > remote exploits in over a decade. The average time between remote > exploits in Linux is measured in months. They carefully limit that to only their core distribution; your comparison would be the absolute minimal Debian installation, rather than the standard one. That said, they may well be more secure. I was loose in my comments above, which I mostly intended to refer to Linux, and commercial distributions. Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman <[email protected]> ✆ Contact me via gtalk, email, or phone: +1 (503) 893-2285 ♲ Made with 100 percent post-consumer electrons _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
