LWN security comparison

So LWN did this article (subscriber only) and somehow I found myself with tons of mails about Debian and security in my inbox and hours spent on irc too today. Almost as if I were the other Joey.

First of all, AJ's post has one innaccuracy -- LWN did not look at bug #327210, but at bug #320017. Understandalbe confusion, perhaps vim's modeline support will be free of security holes one of these years. (Turns out I got it wrong not AJ --joey) Oh and also, the apache thing had a DSA today and is fixed in unstable, with testing hopefully getting the fix tonight. Though you won't see that in the bts.

I wish I had the energy to add a row to LWN's table to see how the Debian testing security team has managed with respect to days to get a fix in. I know that we have issued advisories for clamav, evolution, pcre, and vim, while fetchmail, proftpd, and apache have been or are in the process of reaching testing through more usual means, and the php holes are fixed for some things and not for others, as they affect lots of different packages that duplicate code.

Really, it's probably too soon to add us to the table, after all the fact that we are doing advisories is not even officially announced yet, and we were only able to start doing advisories after some of these holes were discovered, and are still in catchup mode.

I'm glad that LWN didn't choose to add kernel holes kernel to their table. I do think that like every security comparison I've seen so far, this comparison is flawed in significant ways, beginning with the criteria used to select vulnerabilities and going on from there. But it is a useful comparison as these things go.

I'm also glad that I took the time to read chapter 6 of Biella's thesis, since it clarified for me why these things seem to come up from time to time in the project as a seeming crisis and how that's not entirely a bad thing. Looking forward to the other chapers.