Article

Consider patch release schedule when looking at Linux

Edmund X. DeJesus, Contributor
With all the different distributions of Linux available -- many for free -- what distinguishes one over another? Most have the same set of standard bells and whistles. A few have support options that might be appealing for enterprise-level deployments.

    Requires Free Membership to View

 Vulnerabilities examined and their severity
Severity Vulnerabilities
High Clam Antivirus
Firefox
KDELibs
Mozilla
Moderate Sendmail
MySQL
SpamAssassin
Dia
LibTIFF
Ruby
Mutt
MySQL
GNU Privacy Guard
wv2
PostgreSQL
Blender
cyrus-sasl2
GNU Tar
Low KDEBase
Quagga
Shadow
OpenLDAP
KDE Display Manager
GNOME Display Manager
AWStats
Apache
Heimdal
None cpio
Fetchmail
Open Secure Shell
Nevertheless, underneath the surface, they all share pretty much the same code base. After all, that's what makes Linux so intriguing: busy open source developers all over the planet are always adding features or fixing bugs, and anybody can take advantage of their work.

So, why pick one brand instead of another? One reason is security. Not the security of the code itself, but how fast security patches get applied and published. The faster a security patch can be applied, the smaller the window of opportunity for attacks that exploit those vulnerabilities. Therefore, all other things being equal, security managers would prefer a Linux distribution with a record of speedy publication of fixes for security issues.

One way to make a nonscientific determination as to how quickly various Linux distributions publish their updates is by searching the Secunia database of advisories. It's easy to perform detailed searches using the Danish vulnerability clearinghouse's database to acquire the dates of code changes for known security vulnerabilities.

For example, examine the search results for 30 shared vulnerabilities (see table left) announced within the last six months that affected 11 popular Linux distributions (see bottom table). These distributions include both free versions that are created and maintained by volunteers, and retail versions that are sold by commercial vendors.

Simply examining some of this database information is interesting for comparison purposes. For example, if we look at the July update for the highly critical libmms vulnerability, we see that all the announced updates occurred within one day. By contrast, the libtiff and mysql vulnerabilities took 52 days and 46 days, respectively, to be patched on each of the platforms. Clearly, some distributions are getting updates out faster than others are.

Taking this a step further, for each of the 30 security issues, one could find the earliest and latest updates, and assign a score to each Linux distribution based on how quickly its handlers addressed that issue. For instance, if a distribution fixed an issue on the earliest date, it would receive a score of 100 for that issue; if it was the last vendor to fix the issue, it would get a score of 0. One can then average the scores after evaluating the 30 issues.

In this instance, Ubuntu and Fedora received the highest scores overall, reflecting their tendency to be among the first responders for many issues. The lowest scores were shared by OpenBSD, Slackware, SUSE and Trustix.

Naturally, it's unwise to put too much stock in the absolute numbers themselves; it's better to think about what is causing these results. For example, both Ubuntu and Fedora are free, but are sponsored by commercial vendors (Canonical Ltd. and Red Hat Inc., respectively). This could indicate that having corporate resources to support free efforts is important.

Also notice that retail distributions aren't necessarily better than free distributions in this regard. While Red Hat earned a respectable 63, Novell's SUSE received a 32. Some retail distributors may have a more lengthy process to develop and test fixes, because they must support more enterprise-level customers. A similar consideration may help explain Trustix Secure Linux's low score of 32: this distribution is oriented toward security, so perhaps its security experts take longer to verify vulnerability fixes.

The fact that other freely available versions like Debian score so well may reflect the distributed nature of such projects. With participating developers all over the world, they may be able to pounce on problems faster than organizations limited to a single country or site.

The bottom line is that even this informal analysis shows there are definitely differences in how fast Linux distributions develop and issue security patches. Security managers should keep that in mind when their organizations are in the process of selecting a version of Linux. Timeliness of security updates may prove to be a key issue that differentiates manufacturers of otherwise-similar operating systems.

Edmund X. DeJesus is a freelance technical writer in Norwood, Mass.

Name Free? Owner Score
Ubuntu Yes Ubuntu Project (sponsored by Cannonical) 76
Fedora Core Yes Fedora Project (sponsored by Red Hat) 70
Red Hat Enterprise Linux No Red Hat 63
Debian GNU/Linux Yes Debian 61
Mandriva Linux (Mandrake) Yes (plus commercial versions) Mandriva 54
FreeBSD Yes FreeBSD Foundation 51
Gentoo Linux Yes Gentoo Foundation 39
Trustix Secure Linux Yes Trustix Project (sponsored by Comodo Group) 32
SUSE Linux Enterprise No Novell 32
OpenBSD Yes OpenBSD Project 31
Slackware Linux Yes Slackware Linux 30

This article originally appeared on SearchSecurity.com.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: