With all the different distributions of Linux available -- many for free -- what distinguishes one over another? Most have the same set of standard bells and whistles. A few have support options that might be appealing for enterprise-level deployments.
So, why pick one brand instead of another? One reason is security. Not the security of the code itself, but how fast security patches get applied and published. The faster a security patch can be applied, the smaller the window of opportunity for attacks that exploit those vulnerabilities. Therefore, all other things being equal, security managers would prefer a Linux distribution with a record of speedy publication of fixes for security issues.
One way to make a nonscientific determination as to how quickly various Linux distributions publish their updates is by searching the Secunia database of advisories. It's easy to perform detailed searches using the Danish vulnerability clearinghouse's database to acquire the dates of code changes for known security vulnerabilities.
For example, examine the search results for 30 shared vulnerabilities (see table left) announced within the last six months that affected 11 popular Linux distributions (see bottom table). These distributions include both free versions that are created and maintained by volunteers, and retail versions that are sold by commercial vendors.
Simply examining some of this database information is interesting for comparison purposes. For example, if we look at the July update for the highly critical libmms vulnerability, we see that all the announced updates occurred within one day. By contrast, the libtiff and mysql vulnerabilities took 52 days and 46 days, respectively, to be patched on each of the platforms. Clearly, some distributions are getting updates out faster than others are.
Taking this a step further, for each of the 30 security issues, one could find the earliest and latest updates, and assign a score to each Linux distribution based on how quickly its handlers addressed that issue. For instance, if a distribution fixed an issue on the earliest date, it would receive a score of 100 for that issue; if it was the last vendor to fix the issue, it would get a score of 0. One can then average the scores after evaluating the 30 issues.
In this instance, Ubuntu and Fedora received the highest scores overall, reflecting their tendency to be among the first responders for many issues. The lowest scores were shared by OpenBSD, Slackware, SUSE and Trustix.
Naturally, it's unwise to put too much stock in the absolute numbers themselves; it's better to think about what is causing these results. For example, both Ubuntu and Fedora are free, but are sponsored by commercial vendors (Canonical Ltd. and Red Hat Inc., respectively). This could indicate that having corporate resources to support free efforts is important.
Also notice that retail distributions aren't necessarily better than free distributions in this regard. While Red Hat earned a respectable 63, Novell's SUSE received a 32. Some retail distributors may have a more lengthy process to develop and test fixes, because they must support more enterprise-level customers. A similar consideration may help explain Trustix Secure Linux's low score of 32: this distribution is oriented toward security, so perhaps its security experts take longer to verify vulnerability fixes.
The fact that other freely available versions like Debian score so well may reflect the distributed nature of such projects. With participating developers all over the world, they may be able to pounce on problems faster than organizations limited to a single country or site.
The bottom line is that even this informal analysis shows there are definitely differences in how fast Linux distributions develop and issue security patches. Security managers should keep that in mind when their organizations are in the process of selecting a version of Linux. Timeliness of security updates may prove to be a key issue that differentiates manufacturers of otherwise-similar operating systems.
Edmund X. DeJesus is a freelance technical writer in Norwood, Mass.
|Ubuntu||Yes||Ubuntu Project (sponsored by Cannonical)||76|
|Fedora Core||Yes||Fedora Project (sponsored by Red Hat)||70|
|Red Hat Enterprise Linux||No||Red Hat||63|
|Mandriva Linux (Mandrake)||Yes (plus commercial versions)||Mandriva||54|
|Gentoo Linux||Yes||Gentoo Foundation||39|
|Trustix Secure Linux||Yes||Trustix Project (sponsored by Comodo Group)||32|
|SUSE Linux Enterprise||No||Novell||32|
|Slackware Linux||Yes||Slackware Linux||30|
This article originally appeared on SearchSecurity.com.