[ Thanks to RBM for this link.
]
“Most vendors have a security department or team. These security
teams do a number of things for various vendors, but not all
vendors go to the same extent. For example, LinuxPPC is just now
releasing updates for things that were fixed by most vendors about
six months ago. TurboLinux had a security team, but it looks like
it was cut (least important department in management’s eyes?).
Linux-Mandrake has a security team that deals with a number of
areas: Security Updates (which I deal with for MandrakeSoft, in
case anyone didn’t know), hardening of the distribution itself,
development of new security tools, and the upcoming Internet
Security Pack (aka firewall product, currently in beta testing).
RedHat issues security updates. Immunix does the same… in fact, a
number of recent advisories were due to some internal auditing on
their behalf. SuSE does the same. Debian as well… there are most
likely others, but these are the ones I deal with on a semi-regular
basis, so I think I can confidently say that these distributions
(RedHat, SuSE, Debian, Immunix, and of course Linux-Mandrake) have
good security teams that do varying degrees of security work.”
“Of course, the security teams for any given vendor can only do
so much. We can find, identify, fix, and make updated packages for
vulnerabilities, but it is up to you, the end user, to apply them.
Typically we make this as easy as possible to do. Linux-Mandrake
uses MandrakeUpdate, a tool that will automatically install updates
and make you aware of the problems associated with them. Other
distributions have similar tools or rely on mailing list messages
in security mailing lists to advise users of updated packages. All
of this is made available for the end user… you. More often than
not, we cannot force you to update your systems or even recommend
that you do. That’s one of the side-affects of a freely
downloadable and useable operating system. We can’t possible know
who is using what, or what version.”