While writing my paper for SATNAC entitled 'Patching for low bandwidth communities' I came up with two pretty graphs. The purpose of the paper is to come up with patching strategies relevant for users with low external/internet bandwidth (as opposed to internal LAN bandwidth). This is particularaly relevant in developing countries with high tech usage (e.g. South Africa, Brazil, India).

Older Software Vulnerabilities

In the paper one of my hypothesis is that older software that is still being patched for security (e.g. linux kernel or Debian woody/stable) have less vulnerabilities and are therefore effectivley more secure and easier to patch. I backed this up with this data(PDF)(HTML) from CVE. It is only of the linux kernel so isn't hugely representative. I am not trying to explain why there are more vulnerabilities in general, although:

• Increased connectivity.
• More security research.
• Increase in popularity of linux.
• More functionality.

all have something to do with it. As mentioned in the comments below, some vulnerabilities apply to multiple kernel verions, this is why adding up the vulnerabilities does not equal the total.

Binary Patching

I also had a look at the effectivness of binary patching. I did an apt-get update on my Debian system and compared the size of the new binaries with binary patches from xdelta and bsdiff. Although I was using xdelta v1 not the beta and alpha v2 and v3 respectivley. I also did a comparison on patching BSD ls to GNU ls to see how they performed on very different files. The results are here(PDF)(HTML) and it shows that binary patching leads to a significantly smaller download. The downside is that the patch is binary specific, but with the massive reduction in size you could still include patches for several versions and keep under the limit of a full download. This problem doesn't apply to homogenous environments.

UPDATE: enabled use of apache content negotiation on the result files but put direct links to the pdf and html just in case.