“Computer security 80% solved if we deprecate technology shown in this graphic”

[dacryn]

I don't fully agree on this one.

Linux has a wider attack vector since there are tons of packages out there. Yet the core has a lot of attention and many eyes on it, just because it is so open.

Vulnerabilities get patched rather sooner than later. Linux versions and gnu packages are running basically the entire internet, so there is definitely incentive to break into into it.

It's also a lot clearer in linux when a process is doing something it shouldn't, since it's a lot easier to probe into it to check what's going on.

[SoftTalker]

> It's also a lot clearer in linux when a process is doing something it shouldn't, since it's a lot easier to probe into it to check what's going on.

Is this true? It's been a while but I remember being able to set performance monitors on almost anything in Windows. It seemed to have very robust instrumentation support.

[nequo]

> Linux has a wider attack vector

Nit but you probably mean attack surface. A vector doesn't have a width.

[nradov]

Is there any evidence that security vulnerabilities are on average fixed faster in the major Linux distributions than in Windows?

[chmod775]

Some. Here's for the Linux Kernel: https://googleprojectzero.blogspot.com/2022/02/a-walk-throug...

The dataset is quite small, but on average it took Linux 25 days to fix a 0-day while it took Microsoft 83 days.

[schemescape]

Does that metric include the delay if fixes getting incorporated into Linux distributions (and pushed out, assuming automatic updates—maybe not a good assumption) or Windows fixes getting deployed via Windows Update?

Edit: I don’t know much about this topic, but thought “time to deployment of a fix” might be more useful. Edit again: also unclear if the comparison is “apples to apples”.

[RunSet]

I doubt it, any more than it includes the time it takes procrastinating users to actually update their systems.

[de-moray]

The dataset does not appear to discuss the lifecycle of Linux distributions taking the security patches from upstream, nor the update process for all of the downstream distributions.

Something that's been widely discussed elsewhere is how often security issues are silently fixed in Linus's repo and therefore not picked up by distributions for their stable/LTS releases.

I buy the immediacy of patches if you compile your own kernel from the latest kernel.org sources, not if you're relying on distributions.

[rodgerd]

> Vulnerabilities get patched rather sooner than later.

Unless they're in the file systems, in which case it's in the too hard basket.