Security doesn't mean just patching fast, but also checking whether the patches make sense. Which apparently the one from Debian for OpenSSL didn't, but the distribution with better security record just didn't bother to take a look at patches for OpenSSL.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds