>>> Since we don't just blindly apply fixes from other >>> distributions and there still needs to be someone who can >>> check this additional information I fail to see that this >>> is needed for us. >> >> There is no harm in getting an overview of what other >> distributions do, though. > > The cost of maintaining that information separately has to be > considered, too. A lot of this information is available through NVD, > albeit with some delay.
As long as someone is willing to do the work, I don't see it as too burdensome. It's simply a matter of watching the other distribution's security announcements (usually 0-10 per day) and updating the tracker with that information. I would be willing to do it all myself. I think debian should do all that it can to avoid lag in security updates, and that means getting the word out about the problem as soon as possible (not addressed here) as well as getting word out when a solution has been found asap (this suggestion addresses this problem). Security researchers will judge the distribution poorly because of apparently large vulnerability windows (note that red hat is usually praised for their small windows, but from the looks of it, they tend to reserve all their problems until the fix is released, which is why their numbers look so good). I don't think relying on the NVD is good enough because they take too long to update their information. Regards, Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
