Debian User Forums

[debbo]

Hi everyone,

I am a long-time Ubuntu user considering switching to Debian.

As far as I understand, Debian is more stable with packages going through a long testing phase. As a matter of fact, this is exactly what I am looking for.

I am just somehow concerned about packages not receiving security updates in a timely manner. For example, Chromium 84 has been released mid July (fixing 38 security issues, one being critical). Yet buster is still on version 83 (https://packages.debian.org/buster/chromium) while other distributions have already provided updates.

Would you consider this a general trade-off for Debian packages that comes with increased testing or is chromium for same reason a special case? I like like Debian's emphasis on stability, but if I have to choose between stability and security, I will take the latter any day.

[Head_on_a_Stick]

The Debian Security Team is very good at pushing fixes in a timely manner but firefox-esr seems to fare better in that respect than chromium. Not sure why.

And note that "stable" in Debian refers to the package version flux, it is not a synonym for "reliability".

[Deb-fan]

Due to the long testing period Debian gnu/nix has to be both those things to great extent, stable and secure. Browsers are kind of a special case, its good you even caught that situation with chromium. Being the most used application on pc's think web browsers should receive more attention and care. Debian can be both the things you're after though, the development process involved assures users of that. Still nothing's perfect, not even Debian, close ... Still requires competent users. A system is only as secure or stable, as we make it.

[Deb-fan]

Oops, afterthought.

Mention that i tend to advocate special care when comes to web browsers. Has to be, is a major factor in system security. The Debian development process and the main focus being producing the stable branch OS, seems that newer versions of xyz-browser can get overlooked at times. My solution is going outside the normal channels to do for myself. Pretty much the entire time using gnu/linux have gotten Firefox directly from Mozilla and run it from my users home directory. Thus automatically receive updates as soon as they come out.

Chrome adds its own repo(or did) so same, Opera remember needing to add a repo for it, then same thing, minimum delays between when updates are put out and applied. People dont have to wait on a particular pkg maintainer to ensure they've got the latest security fixes for their browser(s.) Would even consider apt-pinning if needed to make sure browsers always latest. Newest version of Firefox is found in unstable, likely same for Chromium too. Anyone really concerned about running browsers without latest patches does have options.

People packaging all this software clearly overall do a great job but doesn't hurt to do for yourself either.

[stevepusser]

Chromium seems to be more difficult to build correctly than most other browsers. I backported the 84.0.4147.105 that was in Experimental a few days ago, but it crashed like chrazy, and I see that it's since been removed from upstream. Last month, a crashy version of chromium did make it into Buster security for a few days, but a patched update fixed that.

[debbo]

Thank you for all your replies!

From what Head_on_a_Stick said, I take that security fixes are usually provided fast. I can live with manually installing and updating two or three programs where security fixes are not so easy to provide such as chromium, though I hope that it is not necessary to bypass the package manager for a greater number of packages.