Linux Discussion: Secunia Advisories

[markwolfe Veteran]

Browsing through the Secunia site, I just peeked into a few sections of interest, and found the following:

Fedora Core 1: No advisories http://secunia.com/product/2568/

Fedora Core 2: No advisories http://secunia.com/product/3489/

Fedora Core 3: No advisories http://secunia.com/product/4222/

Debian 3.0: Moderately Critical http://secunia.com/product/143/

Debian Unstable (sid): Moderately Critical http://secunia.com/product/530/

From a quick look, it seems to be that the apparent advantage to Fedora is because the RedHat/Fedora team has a much more limited scope of apps that are "included" in their distro. And Debian (I think) is rated on all items in the official repositories, therefore more chances of an (often obscure) item with a flaw. This leads people to think that Debian has more issues when a similar install (with identical apps) between Fedora and Debian would (should) have the identical number of flaws.

I bring this up, because of recent readings in Windows vs. Linux security. Various groups try to rate security by purely the number of exploits, or "days of risk" (which is really days of announced risk, not real days since the faulty code was discovered), or severity. Firstly, the "Windows vs. Linux" is already wrong by the title, as there is no functional "Linux" alone. You need to count the other packages that are typically included. And there leads to more opportunities for fact twisting, in that Windows advocates will cite some numbers that are the results of a Microsoft-funded study that show Windows having half the fixes that "Linux" has. What those studies don't show is that "Linux" will get double (or triple- or quadruple- ) dipped for flaws in the sets they offer (typical distros include more than one different choice for their packages, mailservers, ftp servers, client apps, and so forth).

What are your thoughts on this?

[dotRoot]

Browsing through the Secunia site, I just peeked into a few sections of interest, and found the following:

Fedora Core 1: No advisories http://secunia.com/product/2568/

Fedora Core 2: No advisories http://secunia.com/product/3489/

Fedora Core 3: No advisories http://secunia.com/product/4222/

Debian 3.0: Moderately Critical http://secunia.com/product/143/

Debian Unstable (sid): Moderately Critical http://secunia.com/product/530/

From a quick look, it seems to be that the apparent advantage to Fedora is because the RedHat/Fedora team has a much more limited scope of apps that are "included" in their distro.?? And Debian (I think) is rated on all items in the official repositories, therefore more chances of an (often obscure) item with a flaw.? This leads people to think that Debian has more issues when a similar install (with identical apps) between Fedora and Debian would (should) have the identical number of flaws.

I bring this up, because of recent readings in Windows vs. Linux security.?? Various groups try to rate security by purely the number of exploits, or "days of risk" (which is really dayannouncedd risk, not real days since the faulty code was discovered), or severity.?? Firstly, the "Windows vs. Linux" is already wrong by the title, as there is no functional "Linux" alone.? You need to count the other packages that are typically included.?? And there leads to more opportunities for fact twisting, in that Windows advocates will cite some numbers that are the results of a Microsoft-funded study that show Windows having half the fixes that "Linux" has.?? What those studies don't show is that "Linux" will get double (or triple- or quadruple- ) dipped for flaws in the sets they offer (typical distros include more than one different choice for their packages, mailservers, ftp servers, client apps, and so forth).

What are your thoughts on this?

585728227[/snapback]

Considering the release time between stable Debian releases and Fedora releases then all of this goes as suspected. The Debian unstable release had a little over 100 more advisories than Fedora Core 1 - 3, but I think if anything, it is more because of the developement models of each distro. One is known for going through a longer period of tests before its gold release and one is known for being in constant testing and release every 6 months.

[Miuku.]

One of the biggest issues with comparing Linux to Windows is clear: When I install a public out of the box SuSE f.ex. I have over 3,000 applications on my system.

Let's download all those applications for Windows from different freeware/shareware/commercial distributors and start comparing how many issues you'll have on Windows with the EQUAL amount of software installed.

If I choose to download and install a minimal 100MB Linux, I'm going to see a miniscule amount of security advisories, perhaps just a few per quarter.