RE: Quality of security assurance with Debian vs. RedHat vs. SuSE

To: "'Noah L. Meyerhans'" <frodo@morgul.net>
Cc: "'Eduard Bloch'" <edi@gmx.de>, <debian-security@lists.debian.org>
Subject: RE: Quality of security assurance with Debian vs. RedHat vs. SuSE
From: "Jeff Bonner" <jeff@integralogic.com>
Date: Tue, 11 Jun 2002 20:43:21 -0400
Message-id: <[🔎] 006301c211aa$293225a0$0200a8c0@JEFF>
In-reply-to: <[🔎] 20020611195337.W1769@morgul.net>

On Tue 11 Jun 2002 19:54, Noah L. Meyerhans wrote:

> > reminded me of a flap that arose over a list of 
> > vulnerabilities posted by platform, etc on SecurityFocus:
> > 
> >    http://securityfocus.com/vulns/stats.shtml
> 
> I'm not sure this data is worth much.  Debian, Redhat, SuSE, et al
> typically ship with very similar software collections.  Often the
> only differences in the data given above is that Redhat got unlucky
> and shipped when foo 1.2.3 was current, which was later found to
> have a hole.  Debian, on the other hand, may have gotten lucky and 
> shipped with foo 1.2.4, which incorporated the bug fix.  That was
> the case in the big rpc.statd problem from a couple years ago.

Yeah, I don't put too much faith in those raw numbers, so I tried to
qualify that statement as much as I could.  Actually, there was an
article on WinInformant claiming that, based on that set of data,
NT was more secure than Linux, which to me is laughable.

Anyway, nobody had replied to the original poster so I thought I'd
try to jump start his query.  Hopefully not with a bad suggestion?

> There is a lot of collaboration between the respective security
> teams for the major Linux distributions.  As a result of this,
> they all tend to release necessary security updates at the same
> time.  Known security updates are rarely, if ever, left unfixed
> by a distribution vendor.  Knowledge of a security vulnerability
> is never kept from another distribution vendor.  As a result of
> all this, the relative security of the different distributions
> is very similar.

Well put.  From my understanding of how things work, I assumed as
much, but I wasn't confident enough to write that all out.  ;)
 
> The one advantage that I think Debian has is that apt-get makes it
> so easy to keep up to date on packages.  We also make a very strong
> effort to avoid modifying dependencies and behavior of updated
> packages, which makes behavior of updates very predictable.  You
> should expect security updates from Debian to Just Work.

I couldn't have said it better myself.  Apt is the number one reason
I went with Debian:  ease of updates.

Jeff Bonner



-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: Quality of security assurance with Debian vs. RedHat vs. SuSE
  - From: "Noah L. Meyerhans" <frodo@morgul.net>

Prev by Date: Re: Quality of security assurance with Debian vs. RedHat vs. SuSE
Next by Date: RE: Quality of security assurance with Debian vs. RedHat vs. SuSE
Previous by thread: Re: Quality of security assurance with Debian vs. RedHat vs. SuSE
Next by thread: Re: Quality of security assurance with Debian vs. RedHat vs. SuSE
Index(es):
- Date
- Thread