Colin Phipps <[EMAIL PROTECTED]> writes: > On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote: > > "...it took the Debian Security Team an average of 35 days to fix >> security-related vulnerabilites." >> >> An average based upon a very long tail is highly misleading. Please >> quote the median time to fix a vulnerability instead. > > It is not misleading in this case, the tail is the _most_ important part > of the data. It doesn't matter if we patch every other hole in 10 minutes > if we leave one open for months.
Yes it does, if that remaining hole is merely a local non-root potential vulnerability with no known exploit that's a PITA to fix - you *must* weight the average accordingly. Much as I hate stats, I can see that what you want to measure is how much lethargy there is in Debian, which means excluding other influences, and instead of wondering about means modes and medians, you've got to weight the whole thing. Bah, complicated. ~Tim -- <http://spodzone.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
