Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian testing – freezing security updates

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
sonnie
Posts: 12
Joined: 2022-07-22 07:39
Has thanked: 1 time

Debian testing – freezing security updates

#1 Post by sonnie »

Hi there,
I read, that Debian testing is freezing the security updates.
What does this exactly mean?

Is testing not getting any security updates? Afaik the packages are "just delayed SID" packages.
Was I wrong all the years?

Is testing unsecure?

Thanks in advance. :)

User avatar
canci
Global Moderator
Global Moderator
Posts: 2502
Joined: 2006-09-24 11:28
Has thanked: 136 times
Been thanked: 136 times

Re: Debian testing – freezing security updates

#2 Post by canci »

I'll try to clarify a few things, since I have a feeling that you're mixing up terms.

1. Testing never gets any security updates. Packages in Sid get all the updates, also security related ones. Once they are deemed stable enough, they are migrating to Testing. Neither Testing nor Sid are meant to be used in production. They are testing beds for developers. Thus, security is baked into Sid, and later Testing, as part of the regular updates, but it's not a primary focus in Testing. Sid gets security updates and Stable gets them as well, they are even backported to older software versions. If you care about security, stay with Stable. If you don't mind bugs and things breaking in a major fashion, you're welcome to use Sid. Be aware that Sid is not a rolling release like Arch or Suse Tumbleweed, since it's a development branch. So when things break, it might take a while till they work again, unlike in Arch. That's why I would never suggest using Sid as a rolling release, especially during freeze time (see 2 further below).

From https://wiki.debian.org/Status/Testing :
Security for testing benefits from the security efforts of the entire project for unstable. However, there is a minimum two-day migration delay, and sometimes security fixes can be held up by transitions. The Security Team helps to move along those transitions holding back important security uploads, but this is not always possible and delays may occur. Especially in the months after a new stable release, when many new versions are uploaded to unstable, security fixes for testing may lag behind. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.
2. Around the 1,5 to 2 year mark, Debian devs decide that the system is ready enough to be frozen. The freeze means that new versions of software aren't allowed except in very important exceptions (e.g. a major version is much more secure or much more stable and it's hard to backport the new security features into the old version). This doesn't mean that security fixes are frozen. Those can still be introduced or backported to the older version in Testing. Once most of the bugs are ironed out, the frozen Testing release becomes Stable. During Freeze time, Sid also doesn't get new packages. Typically because the devs are super busy ironing out the bugs for Stable. So it might be months till new versions of certain software arrive during Freeze time. Hence my suggestion not to use Sid as a rolling release.

tl;dr -- Don't use Testing or Sid in production, but if you really want to, Sid will have the security fixes sooner than Testing, but it might break more often than Testing. Don't listen to nonsense from Redditors that claim Debian Sid is a rolling release like Arch, because it's not. It's a development system. And so is Testing. Debian is about stability, not the "shiny new shiny".

Also, read the Debian FAQ and preferably the Debian Reference Guide (available online or as a package).
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

sonnie
Posts: 12
Joined: 2022-07-22 07:39
Has thanked: 1 time

Re: Debian testing – freezing security updates

#3 Post by sonnie »

Thanks for clearing things up.

I really like the vibe of debian, but I need to use more up do date software, which is not always available as flatpak – and since I really dislike building things from the source because of the lack of updateability with a packagemanager, I need to use a distro with more up do date packages.

I also try to ONLY use user built distros – I've been years on Arch, later on its derivates like Antergos, Manjaro and EndeavourOS. I use Debian Testing now for about 2-3 Months on my working/productive machine and my gaming machine (better performance than Stable) without any issues at all. Not a single problem to solve. I had way more with vanilla Arch. At least once a month. In Testing, packages are up to date enough and it has the rolling release feeling. I may look dumb now, for me, Testing/SID are close enough to a rolling release to me, even if not meant to be rolling.

I tried stable, but already was used to the latest Gnome looks and feel (and the gnome-apps with their up to date functionality), so Stable never was a real option for me and just felt like a very old machine from many years back. So, Testing is something in between to the latest package versions and stability.

User avatar
canci
Global Moderator
Global Moderator
Posts: 2502
Joined: 2006-09-24 11:28
Has thanked: 136 times
Been thanked: 136 times

Re: Debian testing – freezing security updates

#4 Post by canci »

Maybe try Manjaro again. That's what I use for my gaming rig. I don't think I'd be happy with compiling all the latest emulators myself xD
Manjaro is kind of like Testing in that it gives me packages that are fresh enough, but updates don't come literally every day like in Arch. Still, if I need fresher packages, I just look at the AUR. In most cases, it's there.
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

sonnie
Posts: 12
Joined: 2022-07-22 07:39
Has thanked: 1 time

Re: Debian testing – freezing security updates

#5 Post by sonnie »

I know Manjaro and don't want to use it ATM (or ever) again. Same with Arch. AUR often gave me headache (I was on Arch since 2015ish).

Since I have no issues with Testing, I only wanted to know, if there are no security updates at all. But it seems, that it's totally fine, normally just delayed for a few days. So no need to change ATM. Maybe Stable with Backports at some time. Or pacstall, but I never tried.

I never compile anything myself, I have no problems with Lutris or Steam/Proton or (BS) nVidia-drivers with Testing and two totally different systems.

Thanks. :)

User avatar
canci
Global Moderator
Global Moderator
Posts: 2502
Joined: 2006-09-24 11:28
Has thanked: 136 times
Been thanked: 136 times

Re: Debian testing – freezing security updates

#6 Post by canci »

Another option would be to use a distro that has more frequent release cycles,like Fedora or Ubuntu. Those will be less hands on and you'll get newer packages every 6 months.
Since Ubuntu is also used in production, fixes might come quicker than on a random mom and pop distro.

Ultimately, the decision between using a stable distro and one that moves more quickly is a trade off between stability and freshness. I decided years ago that my laptop is my main machine and that any annoying bug or security flaw is unacceptable. On my gaming rig, I don't care about bugs that much. If a game crashes, I don't really lose money or work time.

And yes, subsystems that offer newer softwarw as statically compiled packages, like Lutris does with different versions of Wine, or something like Flatpak or Appimage are also possible avenues, albeit all less trustworthy than a curated system like Debian IMHO.
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

sonnie
Posts: 12
Joined: 2022-07-22 07:39
Has thanked: 1 time

Re: Debian testing – freezing security updates

#7 Post by sonnie »

canci wrote: 2022-10-03 13:34 Another option would be to use a distro that has more frequent release cycles,like Fedora or Ubuntu. Those will be less hands on and you'll get newer packages every 6 months.
Since Ubuntu is also used in production, fixes might come quicker than on a random mom and pop distro.
Fedora is no option for me, since it's from IBM (and even faster with package release than Arch, hence even more unstable from my experience).
Ubuntu is made by Canonical with their weird decisions (SNAP is just one of many, I can't and will not support).

Maybe OpenSuse Tumbleweed is worth a look, but I dislike YAST and zyppers usability.

Debian, Arch and IIRC Void are the only user curated distributions. And Slackware, but ... yeah ... no. :mrgreen:

User avatar
canci
Global Moderator
Global Moderator
Posts: 2502
Joined: 2006-09-24 11:28
Has thanked: 136 times
Been thanked: 136 times

Re: Debian testing – freezing security updates

#8 Post by canci »

I forgot about Slackware :)
To be honest, I've never used it beyond maybe installing it once 15 years ago.
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

sothis6881
Posts: 6
Joined: 2017-12-01 17:10
Has thanked: 5 times

Re: Debian testing – freezing security updates

#9 Post by sothis6881 »

sonnie wrote: 2022-10-03 13:41
canci wrote: 2022-10-03 13:34 Another option would be to use a distro that has more frequent release cycles,like Fedora or Ubuntu. Those will be less hands on and you'll get newer packages every 6 months.
Since Ubuntu is also used in production, fixes might come quicker than on a random mom and pop distro.
Fedora is no option for me....
Debian, Arch and IIRC Void are the only user curated distributions. And Slackware, but ... yeah ... no. :mrgreen:
Have you considered checking out Solus?

User avatar
canci
Global Moderator
Global Moderator
Posts: 2502
Joined: 2006-09-24 11:28
Has thanked: 136 times
Been thanked: 136 times

Re: Debian testing – freezing security updates

#10 Post by canci »

Oh yes, Solus is also a more curated rolling release-ish distro.
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

Post Reply