I mean, they distributed the xz attack, and then rolled it back when a debian sid user signaled it. This is just not a viable way to do things, especially if the number of users increases. You need a stronger testing policy before the update hits the users, you shouldn’t just assume everything can be fixed by further updates. Debian stable is a bit on the extreme side of that, but Debian testing or Fedora feel much more reasonable long term to me
Yeah I remember that. It was a very rare event though. For Linux users that want the latest versions, this will happen and there is no way to avoid it.
We take risks either way. Either by using old bugs or new bugs.
I think all apps should be much more sandboxed than they are today, but it would require a new way of writing and running apps. We have Flatpak though, its a start.
The old bugs will not send your ssh keys to an unknown network address. If they did, they would get patched or not published. These bugs are known in advance, they are not risks, they are issues. You can make a decision to use them or not, and then you’re set for 5 years. Like, they are both bugs, but they work out very differently if you want to rely on your system.
The thing is that Fedora or Debian testing (and derivatives) bring the latest version fast-enough for the vast majority of people. They don’t make bugs last longer like Debian stable does. When an app is bugged for two weeks, you encounter the bug one month after Arch users, then you get the fix two weeks later. The total bugged time stays the same, but the risks of something really bad happening is much lower. The downside is being one or two month late, and most people don’t care about this kind of delay. (obviously when bugs are found, it can be much more than one or two months)
Yes, Debian stable and testing are two very different things. Testing is essentially a slower rolling release that only takes packages that have been tested in Debian unstable, which is a very fast rolling release. Similar thing with RHEL, Fedora is a quasi-rolling distro that takes packages after testing in Fedora rawhide.
Yeah. Maybe Debian testing is fine. Couple of months delay is not a huge deal, even though i really want the latest packages myself. When a new version of plasma or gnome is released, im right there waiting for it immediately… :)
I mean, they distributed the xz attack, and then rolled it back when a debian sid user signaled it. This is just not a viable way to do things, especially if the number of users increases. You need a stronger testing policy before the update hits the users, you shouldn’t just assume everything can be fixed by further updates. Debian stable is a bit on the extreme side of that, but Debian testing or Fedora feel much more reasonable long term to me
Yeah I remember that. It was a very rare event though. For Linux users that want the latest versions, this will happen and there is no way to avoid it.
We take risks either way. Either by using old bugs or new bugs.
I think all apps should be much more sandboxed than they are today, but it would require a new way of writing and running apps. We have Flatpak though, its a start.
The old bugs will not send your ssh keys to an unknown network address. If they did, they would get patched or not published. These bugs are known in advance, they are not risks, they are issues. You can make a decision to use them or not, and then you’re set for 5 years. Like, they are both bugs, but they work out very differently if you want to rely on your system.
The thing is that Fedora or Debian testing (and derivatives) bring the latest version fast-enough for the vast majority of people. They don’t make bugs last longer like Debian stable does. When an app is bugged for two weeks, you encounter the bug one month after Arch users, then you get the fix two weeks later. The total bugged time stays the same, but the risks of something really bad happening is much lower. The downside is being one or two month late, and most people don’t care about this kind of delay. (obviously when bugs are found, it can be much more than one or two months)
I know from experience its just not just a couple of months if we are talking Debian stable.
Here is what chat gpt is saying, even though the versions is already outdated:
Debian Stable lags behind Arch Linux by roughly 1–3 years on most core packages:
Breakdown by category:
Linux kernel~6–18 months behindRolling, latest~1 year
GCC / LLVM / Clang~1–2 major versions behindLatest stable1–2 years
Python / Node / Go1–3 versions behindLatest stable1–2 years
GNOME / KDE / XFCE One major release behindCurrent1–1.5 years
SystemdUsually current − 1Current6–12 months glibc / coreutilsOften within ~1 yearCurrent6–12 months
Security patchesBackported rapidlyUpstream latest0 delay on fixes
In practice:
Debian 12 (Bookworm, mid-2023) ships kernel 6.1, GCC 12, GNOME 43.
Arch (today) has kernel 6.11, GCC 14, GNOME 47.
So Debian Stable is about 2 years behind Arch overall, though security backports mean it’s not “outdated” for production.
Nobody gives a single salty fuck what chatgpt says.
Haha you are wrong about that one, 100% :)
Yes, Debian stable and testing are two very different things. Testing is essentially a slower rolling release that only takes packages that have been tested in Debian unstable, which is a very fast rolling release. Similar thing with RHEL, Fedora is a quasi-rolling distro that takes packages after testing in Fedora rawhide.
Yeah. Maybe Debian testing is fine. Couple of months delay is not a huge deal, even though i really want the latest packages myself. When a new version of plasma or gnome is released, im right there waiting for it immediately… :)