As an ISV who relies on each distro's autoupdate
system to get updates out to users, I am interested
in how well those systems work in practice.
Looking around a bit, I found a Defcon paper that compared
effectiveness of web browser autoupdate schemes:
http://www.techzoom.net/publications/insecurity-iceberg/index.en
I repeated the measurements using the tiny weblogs from
my own site, kegel.com. I only looked at Firefox updates,
but broke the results down by OS (Windows, Ubuntu, Fedora)
and, for Ubuntu and Fedora, by OS release.
The script I used and the pooled, anonymous data is at
http://kegel.com/autoupdate/
The results are at
http://kegel.com/autoupdate/report.txt
Here's a tiny summary showing
just the percentage of users of
each distro who had updated to
firefox-3.0.9 as of N days after Ubuntu
released the update:
1 2 3 4 5
fc9 18 40 33 37 57
fc10 30 43 62 71 68
8.04 30 43 60 64 52
8.10 38 54 50 56 62
9.04 75 90 94 96 95
Win 54 67 66 73 71
The Windows results are using Firefox's built-in
autoupdate; the Linux results are all using the
distro's updater (I filtered out any without the
distro's user agent tag).
The Windows results probably have a head start,
i.e. that 54% is probably really for day 2, because
Ubuntu's release probably lagged a day behind Mozilla's.
The Ubuntu 9.04 results look great, but they just mean
most people have been doing an upgrade rather than
a fresh install, so they get zoomed to firefox-3.0.9.
57 to 71 percent updated after five days isn't
too bad... but it's not great, either, in our hostile
world. Shouldn't we be able to do better?
Every day users are running outdated browsers is
another day they might be vulerable to attack.
Also, looking at the raw data, it looks like ~10% of users
are just not into updating at all, they're running wildly old
browsers (like Firefox 2.x or Firefox 3.0.0).
Perhaps these folks are on dialup connections,
and can't do online updates because they're too slow?
If so, the delta update feature of Suse (and now Fedora 11)
might help.
Ubuntu 9.04 made a UI change (updates are now
presented by a minimized task rather than a notifier icon),
perhaps that will help.
As far as I know, no distro has set security updates
to default to be applied unattended. Not even Windows
does that, IIRC, but it does nudge people in that
direction. Should Linux distros encourage their users
to turn on unattended security updates?
Are any distros working to improve these numbers in other ways?
- Dan
_______________________________________________
Desktop_architects mailing list
[email protected]
https://lists.linux-foundation.org/mailman/listinfo/desktop_architects
