What does “Linux developers patch a security hole”? Time until the patch is merged into Linus’s tree? Or more reasonably time until a patched kernel is available in a given distro?
Which is the point - time until patched in the kernel source tree is a relatively useless metric unless it’s pretty close to when those fixes ship to Ubuntu, Debian, CentOS, Amazon Linux - whatever the majority of Linux is these days.
Otherwise a fix in Linus’ tree is about as useful as a committed fix to the Windows source repository.
It's a bit more useful, but the breakage has to be seriously impacting my use of the system to roll my own kernel outside of the distro's packaging (the only one I've done is manually applying a fix to a Gentoo kernel and even then I just throw the patch on after the normal stuff).
Either an MR or a merge into the kernel, yes. But, regardless, the comparison omits open auditing vs a closed one.
With closed systems being able to decide what to disclose and obfuscating their own system, the [power] user is less likely to have actual numbers of anything. Be it how many flaws or how many were discovered internally and placed in the backlog. Then, you throw in some PR requirements into the mix and you'll never have a clear picture of what you're using. Just a sales pitch in a different medium.
