Conversation

Notices

1. Embed this notice
   Kees Cook :tux: (kees@fosstodon.org)'s status on Sunday, 18-Feb-2024 15:47:44 JST Kees Cook :tux:

   Last time I did a Linux kernel security flaw lifetime analysis was back in 2021. It showed the average time between flaw introduction and fix was 5.5 years for 108 "high priority" CVEs:
   https://outflux.net/slides/2021/lss/kspp.pdf

   I refreshed my dataset today and was surprised to see that now with 103 more CVEs, it's still holding at 5.5 years. This actually means Linux is getting faster at finding issues, but the (diminishing) technical debt of the past is still dragging down the average.

   • Haelwenn /элвэн/ :triskell: and James Morris like this.
   • Embed this notice
     Kees Cook :tux: (kees@fosstodon.org)'s status on Sunday, 18-Feb-2024 16:12:09 JST Kees Cook :tux:

     in reply to

     v6.5 fixed almost twice as many "high" CVEs (19) than the second most prolific release, v6.6 (11), with v6.4 tied for 3rd place (9) with v5.17. It seems like the rate of fixing is picking up.

     Ignoring the first git release (v2.6.12), the "high" flaw counts are relatively even. The most flawed (i.e. most well tested/researched) releases have been v3.8 (9), v3.18 & v2.6.20 tied (8), and v5.9 & v4.1 tied (6).

     But there are certainly more flaws in all releases -- they just haven't been found yet.

     Haelwenn /элвэн/ :triskell: likes this.