1. They all do a great job! But there's this last mile problem with managing the information they do put out.

If you can handle the downtime, unattended-upgrades will work just dandy. If your postgres restarting in the middle of the night gives you pause, our service can help you choose how to roll out your security upgrades.

2. We cover app dependencies as well! For now just Ruby, but others as well pretty soon.

I'm one of the maintainers of the Ruby Advisory Database https://github.com/rubysec/ruby-advisory-db/ - and we know all about the effort involved.

Currently, there is no straightforward way of checking Ubuntu package versions against CVEs. Debian provides this through debsecan[1], but this tool is pretty much broken on Ubuntu[2].

[1] http://www.enyo.de/fw/software/debsecan/ [2] https://bugs.launchpad.net/ubuntu/+source/debsecan/+bug/9592...

Correct, but if this will reduce the 0-day / 1-day time then it's very useful if your server does anything important. The difference between responding to Shellshock in 15 mins vs 2 hours could be exploitation.