Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20171113212211.GA27512@openwall.com>
Date: Mon, 13 Nov 2017 22:22:11 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: (linux-)distros list use statistics

On Mon, Nov 13, 2017 at 08:38:59PM +0100, Kristian Fiskerstrand wrote:
> On 11/13/2017 08:33 PM, Solar Designer wrote:
> > This lists two very long embargo periods for two Linux kernel issues: 96
> > days for CVE-2017-7533 and 28 days for CVE-2017-1000255.  While this is
> > useful info, it does not reflect (linux-)distros' lists performance as
> > it includes embargo periods from prior to disclosure to those lists.
> > Also, we can't reliably know of such prior embargo periods, so our data
> > would be inconsistent, which is especially bad for calculating averages.
> 
> It is calculated from first report on distros list,

Oh, I must have guessed wrong.  I thought the long embargo periods were
correct and assumed that was because of inclusion of pre-distros time,
but according to what you're saying these are just two errors.

> that said, for
> CVE-2017-1000255 there was some missing data for first publication (it
> is public through
> https://access.redhat.com/security/cve/CVE-2017-1000255 and
> http://www.securityfocus.com/bid/101264 since 9th), so the publication
> time is 5.97 days (although not for oss-security posting).

Your statistics appear to suggest that it was public on oss-security
exactly 22 days later, but actually it was public on oss-security at
most a day later with:

http://www.openwall.com/lists/oss-security/2017/10/10/3

I guess you'll correct this.

If you ever notice an embargo period exceeding 14 days, please
investigate and either correct whatever error you might have or sound
the alarm.  This shouldn't be happening.  Thanks!

On Mon, Nov 13, 2017 at 08:42:49PM +0100, Kristian Fiskerstrand wrote:
> Page created:
> http://oss-security.openwall.org/wiki/mailing-lists/distros/stats

Thank you!  This currently shows some fields as empty, including but
not only for CVE-2017-1000255, where I think you could add the missing
info easily.  Please do.

Meanwhile, I've added a link from:

http://oss-security.openwall.org/wiki/mailing-lists/distros#list-usage-statistics

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.