Date: Mon, 13 Nov 2017 22:22:11 +0100 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: (linux-)distros list use statistics On Mon, Nov 13, 2017 at 08:38:59PM +0100, Kristian Fiskerstrand wrote: > On 11/13/2017 08:33 PM, Solar Designer wrote: > > This lists two very long embargo periods for two Linux kernel issues: 96 > > days for CVE-2017-7533 and 28 days for CVE-2017-1000255. While this is > > useful info, it does not reflect (linux-)distros' lists performance as > > it includes embargo periods from prior to disclosure to those lists. > > Also, we can't reliably know of such prior embargo periods, so our data > > would be inconsistent, which is especially bad for calculating averages. > > It is calculated from first report on distros list, Oh, I must have guessed wrong. I thought the long embargo periods were correct and assumed that was because of inclusion of pre-distros time, but according to what you're saying these are just two errors. > that said, for > CVE-2017-1000255 there was some missing data for first publication (it > is public through > https://access.redhat.com/security/cve/CVE-2017-1000255 and > http://www.securityfocus.com/bid/101264 since 9th), so the publication > time is 5.97 days (although not for oss-security posting). Your statistics appear to suggest that it was public on oss-security exactly 22 days later, but actually it was public on oss-security at most a day later with: http://www.openwall.com/lists/oss-security/2017/10/10/3 I guess you'll correct this. If you ever notice an embargo period exceeding 14 days, please investigate and either correct whatever error you might have or sound the alarm. This shouldn't be happening. Thanks! On Mon, Nov 13, 2017 at 08:42:49PM +0100, Kristian Fiskerstrand wrote: > Page created: > http://oss-security.openwall.org/wiki/mailing-lists/distros/stats Thank you! This currently shows some fields as empty, including but not only for CVE-2017-1000255, where I think you could add the missing info easily. Please do. Meanwhile, I've added a link from: http://oss-security.openwall.org/wiki/mailing-lists/distros#list-usage-statistics Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ