My analysis of Linux kernel security flaws shows an average lifetime of 5 years still https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/ …
-
-
Replying to @kees_cook
It would be interesting to pick a range of commits as a sample to figure out what % of security fixes actually get a CVE...
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS
if distros do security update, there's a CVE (lots assigned way after the fix). Maybe compare date of fix vs CVE date-of-issue
1 reply 0 retweets 0 likes -
Replying to @kees_cook
Talking about all kinds of bug fixes that do have a security relevance if you look closely, but that aren't backported at all.
2 replies 0 retweets 0 likes
Replying to @CopperheadOS
This is why I tell everyone to use an upstream -stable tree instead of cherry-picking CVE fixes.
11:43 PM - 19 Oct 2016
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.