Open Stack

Yes, my interest is in patches for openstack modules.
We use the EPEL repos.

"pick say the last two dozen CVEs and then research
when they were fixed in each distribution and compare and you'll have
your answer."

Was that advice tounge-in-cheek? ;)

I picked one, and spent an hour looking for decent sources.
I'm looking for either archive or CSV format that includes both the patch
release date and the CVE.

I picked CVE-2014-0162

I was hoping someone had already done the work for me like this analysis of
rhel variants:
Lag for centos behind rhel patch releases
http://bitrate.epipe.com/rhel-vs-centos-scientific-oracle-linux-6_187

Comparing centos to ubuntu is problematic since the centos announce list
does not include the CVE or bug description.

Ubuntu has archives here
http://people.canonical.com/~ubuntu-security/cve/
But the bug i picked wasn't there.

I had to google around to find it here.
http://www.ubuntuupdates.org/package/core/saucy/main/updates/glance


debian has bundled files, with CVE's but no dates, only release numbers
https://security-tracker.debian.org/tracker/

I was only able to find nice stats with everything i needed for Redhat.
http://www.redhat.com/security/data/metrics/

If i'm missing any links to make this info more accessible please let me
know.
Otherwise, 2 dozen comparisons might take a day or two.

kesten


On Sun, Jun 1, 2014 at 1:36 PM, Kurt Seifried <kseifried at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/01/2014 12:01 PM, kesten broughton wrote:
> > Is there any difference in the rate at which security patches get
> > applied between os's.  In particular, i'm trying to compare centos
> > 6.5 vs ubuntu 14.04.
> >
> > What is the process through which security-only patches get passed
> > on to production deployments of openstack.
> >
> > Is there a difference in the amount of coverage testing for
> > security services between os's?
> >
> > kesten
> >
> >
>
> Are you talking about security patches to OpenStack itself? I assume
> you're not talking about the underlying operating system. Any ways if
> this is OpenStack specific then my next question would be:
>
> how did you install OpenStack on CentOS/Ubuntu? For CentOS your
> choices would be
>
> - From upstream source
> - From EPEL
> - From RDO
> - From something else?
>
> All of which of course have different patching schedules/rates. My
> advice would be to pick say the last two dozen CVEs and then research
> when they were fixed in each distribution and compare and you'll have
> your answer.
>
> - --
> Kurt Seifried - Red Hat - Product Security - Cloud stuff and such
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJTi3LIAAoJEBYNRVNeJnmT+hEQANOCLOKvZPxAOKUuFLByJ1kR
> sexTlmdayf7oIrTalJcncoG3nh8AbSahRE82X8ijVXMGTqB3kdN1MSBg/V2r7M2b
> +D4ErmQ41KkvmKgduIpsn356ExP+Rpas3CcvIJjU2KaD423o+kzDhjqtEqab1Bqb
> smRMEgsQ2PCENCiRMnqPkwAdi8odUAb0LeTyAAqJvn6a2uCZznnVDCI53+Camx1/
> DMNpfiZXaLdmlOeyTJl8qYnunfTvXvRPqH5u1n6pCGy/lz6Pmsr0Sarx474HIfDg
> orz/S22HFptf/moYPx009nav1E1ItfzdvkwZ5ZdczzhKQMHfLaoYjQkhwl8FuAXg
> JAwYR2n1pajF5LgkUm6w0XbfkmpDXRVUo+dgIkn5MiYaY2NfD28p8bZ/WPOupDku
> knz6trH2VvmMlwvnPe/aDH6sHO2G1OQxD1uWNu+TWcp2ktGnCnoba9DN8Awl7dc6
> aHY3EpTfTDKJhiKdGIcBwO5soR9DwyokLYtFsYMkRoOXEoh+TtfPCEgIx/hti7X6
> T1aX76fyRxCzk/UmXUmqmZYeQLI0xHmVMQx5DFEjrPJLu3Ae0/Iy9UhzBgyzDt9Y
> b6B3WOdY7ZYCG3FeBl9MQ+/qBJWddzqtE8nHJRQ5971hABNEz+MH5HYnN0Envvs7
> cNUqZIPTqqNjLtU0B0lK
> =wn/M
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140601/e8baa8f2/attachment.html>