With all the different distributions of Linux available -- many for
free -- what distinguishes one over another? Most have the same set
of standard bells and whistles. A few have support options that
might be appealing for enterprise-level deployments.
Nevertheless, underneath the surface, they all share pretty much
the same code base. After all, that's what makes Linux so
intriguing: busy open source developers all over the planet are
always adding features or fixing bugs, and anybody can take
advantage of their work.
So, why pick one brand instead of another? One reason is
security. Not the security of the code itself, but how fast
security patches get applied and published. The faster a security
patch can be applied, the smaller the window of opportunity for
attacks that exploit those vulnerabilities. Therefore, all other
things being equal, security managers would prefer a Linux
distribution with a record of speedy publication of fixes for
security issues.
One way to make a non-scientific determination as to how quickly
various Linux distributions publish their updates is by searching
the
Secunia
database of advisories. It's easy to perform detailed searches
using the Danish vulnerability clearinghouse's database to acquire
the dates of code changes for known security vulnerabilities.
For example, examine the search results for 30 shared
vulnerabilities (see table left) announced within the last six
months that affected 11 popular Linux distributions (see bottom
table). These distributions include both free versions that are
created and maintained by volunteers, and retail versions that are
sold by commercial vendors.
Simply examining some of this database information is
interesting for comparison purposes. For example, if we look at the
July update for the highly critical
libmms vulnerability, we see that all the
announced updates occurred within one day. By contrast, the
libtiff and
mysql vulnerabilities took 52 days and 46
days, respectively, to be patched on each of the platforms.
Clearly, some distributions are getting updates out faster than
others are.
Taking this a step further, for each of the 30 security issues,
one could find the earliest and latest updates, and assign a score
to each Linux distribution based on how quickly its handlers
addressed that issue. For instance, if a distribution fixed an
issue on the earliest date, it would receive a score of 100 for
that issue; if it was the last vendor to fix the issue, it would
get a score of 0. One can then average the scores after evaluating
the 30 issues.
In this instance, Ubuntu and Fedora received the highest scores
overall, reflecting their tendency to be among the first responders
for many issues. The lowest scores were shared by OpenBSD,
Slackware, SUSE and Trustix.
Naturally, it's unwise to put too much stock in the absolute
numbers themselves; it's better to think about what is causing
these results. For example, both Ubuntu and Fedora are free, but
are sponsored by commercial vendors
(Canonical Ltd. and
Red Hat Inc.,
respectively). This could indicate that having corporate resources
to support free efforts is important.
Also notice that retail distributions aren't necessarily better
than free distributions in this regard. While Red Hat earned a
respectable 63, Novell's SUSE received a 32. Some retail
distributors may have a more lengthy process to develop and test
fixes, because they must support more enterprise-level customers. A
similar consideration may help explain Trustix Secure Linux's low
score of 32: this distribution is oriented toward security, so
perhaps its security experts take longer to verify vulnerability
fixes.
The fact that other freely available versions like Debian score
so well may reflect the distributed nature of such projects. With
participating developers all over the world, they may be able to
pounce on problems faster than organisations limited to a single
country or site.
The bottom line is that even this informal analysis shows there
are definitely differences in how fast Linux distributions develop
and issue security patches. Security managers should keep that in
mind when their organisations are in the process of selecting a
version of Linux. Timeliness of security updates may prove to be a
key issue that differentiates manufacturers of otherwise-similar
operating systems.
Edmund X. DeJesus
is a freelance technical writer in Norwood, Mass.