Re: (linux-)distros list use statistics

[Kristian Fiskerstrand <k_f () gentoo org>]

On 11/13/2017 08:33 PM, Solar Designer wrote:
> On Mon, Nov 13, 2017 at 08:13:05PM +0100, Kristian Fiskerstrand wrote:
> > As far as I'm aware I haven't gotten access to edit the wiki page for
> > publishing it.
>
> Please feel free to create a page like:
>
> http://oss-security.openwall.org/wiki/mailing-lists/distros/stats
>
> You don't need any special access for that.

Ah, will look into that soon then.

> > The wikified stats based on the generated DocuWiki output is available
> > in very basic style at the testing instance:
> >
> > https://wiki.sumptuouscapital.com/doku.php?id=distros_stats
>
> Thank you, Kristian!
>
> This lists two very long embargo periods for two Linux kernel issues: 96
> days for CVE-2017-7533 and 28 days for CVE-2017-1000255.  While this is
> useful info, it does not reflect (linux-)distros' lists performance as
> it includes embargo periods from prior to disclosure to those lists.
> Also, we can't reliably know of such prior embargo periods, so our data
> would be inconsistent, which is especially bad for calculating averages.

It is calculated from first report on distros list, that said, for
CVE-2017-1000255 there was some missing data for first publication (it
is public through
https://access.redhat.com/security/cve/CVE-2017-1000255 and
http://www.securityfocus.com/bid/101264 since 9th), so the publication
time is 5.97 days (although not for oss-security posting).

> I think for our statistics collection, we should primarily use embargo
> periods since disclosure to (linux-)distros' lists, and secondarily
> since the possibly earlier embargo start dates when known (like you did
> now).  Can you add such data?

That should be the data already used.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Attachment: signature.asc
Description: OpenPGP digital signature