Seth G.The recent #CUPS #vulnerability and previous #XZUtils compromise show that my previously-held opinions about #Debian Stable vs Testing (and #FOSS / #OpenSource #security in general) were not entirely accurate.
In their own docs, the Debian devs say, "If security or stability are at all important for you: install stable. period. This is the most preferred way." (https://www.debian.org/doc/manuals/debian-faq/choosing.en.html#s3.1) Personally, I'd always held the belief that trust in the package developers was sufficient, and that having the distro do extra checks was superfluous.
I now see that #Linux distros' approvals of #software is much like an enterprise #PatchManagement system: adding an extra layer of verification, checking for vulnerabilities/#threats, compatibility, and integrity within an environment as part of #DefenseInDepth #BestPractices against, among other tings, #SupplyChain attacks.
While my reservations about the age of Debian Stable's packages remains, that too may be changed some day. Security is all about learning and acting based on the best data and information available.
All GNU social JP content and data are available under the