secFUD

Zdnet has published an article entitled "Security an ongoing problem for Debian". Once again this article makes various quotes from Martin Schulze's blog. It also links to I page I recently created listing possibly security problems in stable based on the issue tracking done by the testing security team, and incorrectly attributes that page to Martin Schulze.

I'm now incredibly frustrated, since Zdnet is using the information on my page to bolster the false conclusion that Debian stable is less secure than it was last month.

First of all, any security comparison that involves blindly counting security holes is innately crap. That is the kind of comparison that yeilds conclusions such as "windows is more secure than linux". I'm fairly closely familiar with the current set of security holes listed on my page as affecting stable, and many of them are not even exploitable. Some of them are in code that is not shipped in any Debian package. And so on. Comparing data that you don't understand is not a good way to reach an informed conclusion.

The really frustrating bit is that subtly Zdnet leads its readers into thinking that -- just because my page lists so many possible security holes in Debian 3.1 -- things are somehow much worse than they were a month ago when it cites our "ongoing security problems" as beginning. And they do this without even having access to the data about how many holes my page would have displayed a month ago. For what it's worth, when I run the numbers, and correct for some of the worst sources of innaccuracies (filtering out some 900 fixed holes in the process), I find 385 potential unfixed security holes in Debian 3.0. Somewhat more than the 101 listed for Debian 3.1.

Why? Well, recall that Debian 3.0 is a linux distribution that was released in 2002, and that many packages in that distribution (cf mozilla, kernel) had numerous known unfixed security holes, that couldn't be fixed due to the massive job involved in backporting those fixes. Add all the little minor security holes that tend to be skipped over in favour of the remote root of the day, and the figure of several hundred unfixed holes in 3.0 begins to make sense. It seems likely to me that Debian 3.1 is more secure than that.

Which isn't to say that I'm very satisfied with the security of Debian stable, or with the frustration that must be driving Joey to continually blogging about his troubles. But drawing the kind of inferences Zdnet has drawn is just fear-mongering.