Re: Debian more secure than OpenBSD ?!

From: Florian Weimer (Weimer@CERT.Uni-Stuttgart.DE)
Date: 12/11/02 

From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Date: Wed, 11 Dec 2002 08:27:11 +0100

Oleg <oleg_inconnu@myrealbox.com> writes:

> More specifically, the latest stable Debian, 3.0, released 124 days ago,
> has only 1 vulnerability listed, while the latest OpenBSD, 3.2, released 19
> days ago, already has 2.

These statistics are obviously incorrect.

> Until now, I was under what seems like an erroneous the impression that
> OpenBSD was more secure than any mainstream Linux distribution. Anyone care
> to comment?

According to your metric, Debian is certainly the most insecure free
software distribution because it offers so many packages. Any
statistic that says otherwise is erroneous in some way or other.

> BTW, I also noticed that securityfocus database is unaware of any
> exploits for most of the vulnerabilities. Is this because no one
> bothered to write the exploits or because no one bothered to add
> them to the database?

That's because full disclosure (in the original sense) is dead. Most
people who discover security defects in free software follow the
guidelines called "Responsible Disclosure", give developers and
distributors ample time for a fix, and wait for a coordinated release
without much details. Usually, you must read the diffs if you want to
know what's going on.

Relevant Pages

  • Re: Debian more secure than OpenBSD ?!
    ... > More specifically, the latest stable Debian, 3.0, released 124 days ago, ... These statistics are obviously incorrect. ... > OpenBSD was more secure than any mainstream Linux distribution. ...
    (comp.os.linux.security)
  • Re: Testing for product of Gaussians
    ... >I have a value created by a computer simulation. ... test against the computed Bessel function distribution will ... I know the answer to the diffusion equation, ... are those of the Statistics Department or of Purdue University. ...
    (sci.math)
  • Re: Most valuable poster
    ... Ooh, the Poisson distribution! ... If you actually *knew* anything about statistics, ... probabilities I want, just like you do. ...
    (talk.origins)
  • Re: Fishers Exact Test and Chi-square
    ... The probability distribution implicitly assumes continuous rather than ... chi-square or normal distribution would only give an approximation ... merely re-iterating that the chi-square statistic for a 2x2 contingency ... there at the least dozes and dozens of chi-square statistics. ...
    (sci.stat.consult)
  • Re: speed reading
    ... the existence of people twelve feet tall. ... use statistics in this fashion to argue that people like this must ... show that for the real distribution of heights, ... people read between 200 and 400 wpm" quoted in the one cite. ...
    (rec.arts.sf.written)