Edgy down?

[Derek Broughton]

Mario Vukelic wrote:

> It's one thing to argue, as you do now, that people who miss the upgrade
> have a good chance of surviving without being compromised for
> considerable time. Yes, that's good to know.
> 
> It's a different thing, as you basically did by criticizing my
> recommendation to upgrade, 

I didn't at any point criticize your recommendation to upgrade.  In fact, I
agreed with Rubin that it _is_ time to upgrade.  What I criticized was your
use of the word "cannot" (with regard to not upgrading) - I don't believe
that's ever appropriate on a Linux list.

> This is utter madness. According to Secunia there were, e.g., 35
> advisories for Apache 2 from 2003 to 2007, 83% of which dealing with
> remote attack vectors, or 12% involving system access.
> http://secunia.com/product/73/?task=statistics

Well, I think that it's always good to keep up with security advisories.  I
just don't believe that not doing so will immediately, or even likely, get
you in trouble - especially on an system that has been kept up-to-date with
security patches for the first 18 months of its life and has had no new
software added.  Far more important to identifying the degree of
vulnerability than the numbers you give is: how many advisories have been
issued for Apache in code that existed as of October 2006.  When was the
last one?  It's a fairly safe bet that most such exposures have already
been fixed.
-- 
derek