On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote: > "...it took the Debian Security Team an average of 35 days to fix > security-related vulnerabilites." > > An average based upon a very long tail is highly misleading. Please > quote the median time to fix a vulnerability instead.
It is not misleading in this case, the tail is the _most_ important part of the data. It doesn't matter if we patch every other hole in 10 minutes if we leave one open for months. Furthermore I think the mean is exactly the right measure of this: from the user point of view, the important figure is total exposure time, i.e. sum of time between vulnerability discovery and patch (for installed packages) for all vulns. For someone who installs every Debian package, this is equal to (# of vulnerabilities)x(mean time to patch). The former measures how well packages are audited in advance, the latter measures how quickly vulnerabilities are corrected. It's the right statistic. -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/