@secbox the biggest thing you can do against supply chain attacks is staging and not go with HEAD.
Thats Debian/Stable. It may be 2 Years old. But its rock solid with known issues. And no need to worry about security updates. They typically do not break anything. Install "unattended-upgrades" and be happy.