[VIM] interesting thought

security curmudgeon jericho at attrition.org
Wed May 31 06:15:51 EDT 2006


: > be great. seeing there were 60% w/o solutions in 1999, and 80% w/o solutions
: > in 2005 for example. of course, this also requires the data to be kept up to
: > date pretty hardcore, but still.
: 
: The only difficulty with such metrics for multi-vendor software is 
: choosing what date to count.  Say for the Linux kernel is it the date a 
: patch was posted to a mailing list, or the day it got approved (hence is 
: now official), or the day it got committed, or the day a new kernel was 
: rolled, or for a Red Hat customer it's the day Red Hat released a kernel 
: with a fix (which could be before or in the middle or after any of those 
: dates).  Indeed, vendors often fix issues of low severity or which are 
: disputed or hard that never get fixed upstream, so these are really "no 
: solution to everyone apart from if you have a distribution from X or Y"
: 
: (For Red Hat we publish the date an issue was first public and the date 
: we released an update for all issues)

Good point. For a VDB, the only way I can think to track it and be 
consistant is to track the first date an official fix is provided in any 
capacity, even if only for one version or branch. While that may not be 
perfect, trying to track it any other way seems like it would leave a lot 
of guesswork or interpretation.


More information about the VIM mailing list