Re: Debian more secure than OpenBSD ?!

From: Ted Unangst (
Date: 11/20/02

From: Ted Unangst <>
Date: Wed, 20 Nov 2002 04:11:28 -0800

On Wed, 20 Nov 2002, Oleg wrote:

> As of this writing, for years 2001 and 2002, securityfocus [1] lists
> 19 vulnerabilities for Debian and 40 for OpenBSD.
> More specifically, the latest stable Debian, 3.0, released 124 days ago,
> has only 1 vulnerability listed, while the latest OpenBSD, 3.2, released 19
> days ago, already has 2.

It would be better to compare the individual projects' websites.

There's a lot more than one vulnerability for Debian 3.0 on their own
site. An exact total is hard to come by, though, since they are including
several packages which not everyone uses. Debian clearly has more than
one vuln if you hold it the same criteria as OpenBSD, since I can find
apache, bind, and kadmind on the vuln list for 3.0. I don't see a fix
for the kernel DOS either.

Using the securityfocus database is likely to produce very unreliable
results. Counting bugs in a database says more about the quality of the
database than the OS.

"People have criticized me because my security detail is larger
than the president's.  But you must ask yourself: are there more
people who want to kill me than who want to kill the president?
I can assure you there are."
      - M. Barry, Mayor of Washington, DC

Relevant Pages