Wolfram Schlich <[EMAIL PROTECTED]> posted [EMAIL PROTECTED], excerpted below, on Mon, 07 Aug 2006 13:42:21 +0200:
> I just stumbled over an article from SearchSecurity.com which was linked > to in a heise newsticker posting that tries to analyze how fast > distributions react to security vulnerabilities: > > http://tinyurl.com/lplfb > > Quick chart: > > Rank Distro Points/100 ---- ------------------------- > ---------- 1. Ubuntu 76 > 2. Fedora Core 70 > 3. Red Hat Enterprise Linux 63 > 4. Debian GNU/Linux 61 > 5. Mandriva Linux 54 > 6. Gentoo Linux 39 > 7. Trustix Secure Linux 32 > 8. SUSE Linux Enterprise 32 > 9. Slackware Linux 30 > > Rank 6 out of 10 is not a great result -- at least we beat SUSE ;) I saw the same article and was similarly unhappy. One thing to note is that the timings, AFAIK, are based on the release of the security announcement for the distribution. With Gentoo, as others have pointed out, that means waiting for everybody to stabilize the update -- it's actually in the tree days/weeks before that. Realizing it's there for those who want it, well before the GLSA, is useful, altho it doesn't particularly help our standing or make us look that great. I do know however, that as a ~arch user, most of the time when I see a GLSA on the announce list, I check and I've had the fixed version installed for a week or more. For those who prefer stable, the above info can still be helpful. As long as you normally visit community sites such as LWN, which list security announcements when they become public (an article is created at the original announcement by the first distrib or the finder/upstream, then updated as the various distribs do their own announcements), the ebuilds are usually in the tree either at the moment of public announcement, or within 24 to 48 hours, best I can tell. There's nothing saying you have to wait for the GLSA or even for stable keywording. Once you see the announcement, check the tree for the version in question, or the changelog, as sometimes it's not a new version upstream so it's just a Gentoo -rX revision. You can then use package.keyword and etc. as appropriate, to get the security update, even if you normally use stable, days/weeks before the GLSA, and normally very soon after public announcement. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman -- gentoo-dev@gentoo.org mailing list