PSA: You should know that Debian Trixie/Testing does not receive security updates in a timely manner, and is not intended for production use (programming.dev)

submitted 1 month ago by moonpiedumplings@programming.dev to c/linux@programming.dev

25 comments fedilink hide all child comments

https://security-tracker.debian.org/tracker/CVE-2024-47176, archive

As of 10/1/24 3:52 UTC time, Trixie/Debian testing does not have a fix for the severe cupsd security vulnerability that was recently announced, despite Debian Stable and Unstable having a fix.

Debian Testing is intended for testing, and not really for production usage.

https://tracker.debian.org/pkg/cups-filters, archive

So the way Debian Unstable/Testing works is that packages go into unstable/ for a bit, and then are migrated into testing/trixie.

Issues preventing migration: ∙ ∙ Too young, only 3 of 5 days old

Basically, security vulnerabilities are not really a priority in testing, and everything waits for a bit before it updates.

I recently saw some people recommending Trixie for a "debian but not as unstable as sid and newer packages than stable", which is a pretty bad idea. Trixie/testing is not really intended for production use.

If you want newer, but still stable packages from the same repositories, then I recommend (not an exhaustive list, of course).:

Opensuse Leap (Tumbleweed works too but secure boot was borked when I used it)
Fedora

If you are willing to mix and match sources for packages:

Flatpaks
distrobox — run other distros in docker/podman containers and use apps through those
Nix

Can get you newer packages on a more stable distros safely.

top 25 comments

sorted by: hot top controversial new old

[-] lurch@sh.itjust.works 52 points 1 month ago

crazy how testing is not for production. next thing you're tellling me unstable isn't stable smh /s

[-] al4s@feddit.org 2 points 1 month ago

I mean you'd still expect that critical security fixes would land in testing, no?

[-] uiiiq@lemm.ee 14 points 1 month ago

Why bother? Backporting security updates or updating packages is work and in case of debian often unpaid. Trixie is for testing new packages and configurations, does not make a ton of sense to keep everything up to date.

[-] lurch@sh.itjust.works 0 points 1 month ago

it would be nice, but i only expect them to arrive with the regular package updates, i.e. when a new version of cups with the fix in it is released, not an extra quicker fix from the distro maintainer.

[-] Scoopta@programming.dev 16 points 1 month ago

How are fedora or SUSE valid alternatives "from the same repos"? They're not even based on Debian or Debian repos?

[-] bjoern_tantau@swg-empire.de 7 points 1 month ago

Maybe they use OpenSUSE's https://openbuildservice.org/. It can handle multiple distributions. It's like the AUR without touting it to be the second coming of Christ.

[-] moonpiedumplings@programming.dev 4 points 1 month ago

Sorry. I meant if you wanted to use only packages from one set of repositories/one distro, for if you were looking for lower level packages like the kernel or desktop environment to be updated.

[-] lvxferre@mander.xyz 13 points 1 month ago* (last edited 1 month ago)

Yeah, using Testing directly is a bad idea. Instead pick a distro based on ~~Testing - like LMDE (Linux Mint Debian Edition);~~ or if you really need bleeding edge use Sid instead, but be aware that it was named after the child who breaks toys for a reason.

EDIT - as the comments say LMDE is based on Stable. In my defence when I used it it was still based on Testing. (And it was a rolling release. Yup, LMDE "1" times.)

[-] Scoopta@programming.dev 2 points 1 month ago

Maybe it's just been good luck, or maybe I pay enough attention to what apt is going to do and know how to deal with it but I've been daily driving sid for years and am convinced it's more stable than arch based on friends I have that run arch...maybe it's just I'm more experienced but it really doesn't break that much. Obviously ymmv.

[-] lvxferre@mander.xyz 4 points 1 month ago

I think that it's partially due to Debian's focus on stability. If they call it "stable" it's rock solid; if they call it "unstable" it's still fairly usable, it's just the 0.1% odds that it'll evoke Cthulhu in the process.

In my Sid times I managed to break it, but to be fair it was more like a Frankendebian at that point.

[-] moonpiedumplings@programming.dev 2 points 1 month ago* (last edited 1 month ago)

Linux mint debian edition is not based on testijg, but rather on stable*.

This misconception may be caused by the fact that the latest debian stable, has newer packages than many of the older-but-not-ancient ubuntu releases, which were originally based off of debian sid.

*I cannot find a first party source for this, only third party

Linux Mint Debian Edition 6 hits beta with reassuringly little drama. Think Debian 12 plus Mint's polish and a friendlier UX for non-techies

https://www.theregister.com/2023/09/13/linux_mint_debian_edition_hands_on/

[-] lvxferre@mander.xyz 1 points 1 month ago* (last edited 1 month ago)

I fixed it, based on info that you and @cqst@lemmy.blahaj.zone provided. Thanks you both for pointing this out!

(The misconception is actually outdated info. LMDE 1 lasted a really long time, and it was Testing-based.)

I cannot find a first party source for this, only third party

I found info in the Linux Mint forums about this. Not quite first party source as it's just user discussion, but still closer.

[-] jim@programming.dev 7 points 1 month ago

PSA for Debian Testing users: read the wiki

https://wiki.debian.org/DebianTesting

Control-F security returns 18 results. This is well known and there's even instructions on how to get faster updates in testing if you want.

[-] 0x0@programming.dev 5 points 1 month ago

Stick to stable for production. Patches for vulnerabilities will go to stable asap. That's where you want them, not testing or unstable.

[+] toasteecup@lemmy.world -14 points 1 month ago

I would sooner use Windows before using Fedora. Fortunately, Linux Mint or Ubuntu exist instead.

[-] sweng@programming.dev 10 points 1 month ago

I would sooner use Windows before using Fedora

Why?

[-] toasteecup@lemmy.world -3 points 1 month ago

https://lemmy.world/comment/12653110 too lazy to copy pasta the whole thing

[-] Contort3860@links.hackliberty.org 8 points 1 month ago

I'm not a fan of Fedora either, but it's still linux. Always better than Windows, unless you have some very serious reason for disliking it that much.

[-] toasteecup@lemmy.world 3 points 1 month ago

Not sure if anyone else will think it's good enough but I do.

Redhat as a company acts like a parasite on open source, producing a product that is garbage which they then charge money for their support plans. Have an issue with their offering? Fuck you. In addition to that, I absolutely beyond a doubt HATE how they do their filesystem and just willy nilly do whatever the fuck they think is best instead of following community established patterns and designs. Top it off with, who was the first to adopt systems? Redhat.

Stepping away slightly from that, have you dug into ansible's internal before? Actual fucking idiot decisions. Have an issue with tower or AAP (stupid fucking name) good luck getting it fixed. According to their documentation you can have vaulted vars in a cars file with plaintext cars. According to reality, that's causes intermittent failures and has for the past 8 years. There have been SEVERAL GitHub issues submitted but it's still not fixed.

Fuck redhat and fuck their bullshit like fedora. If I wanted to use a garbage distro, I'd at least want to use one that isn't pretending to be decent.

[-] 0x0@programming.dev 6 points 1 month ago

Ever heard of Rocky?

[-] toasteecup@lemmy.world 4 points 1 month ago

It's new to me, reading up on it now. Seems cool given the goals and it's the OG CentOS guy. I wasn't the biggest CentOS fan, but I liked it more than fedora for sure. It does still have similar issue like FHS violations but given it's not a redhat product I'd be more willing to use it.

[-] SQkwax5cJJ2N9b@programming.dev 6 points 1 month ago

More specifically, what issue do you have with their "filesystem"? Not using ansible, but i think fedora is miles ahead of arch for example.

[-] toasteecup@lemmy.world 2 points 1 month ago

Layout of where they put their files had (the last one I actually had to dig into a fedora system) multiple violations of the FHS. I'm very big on standards since things work well when you're not violating standards.

Obviously, people don't have to follow the FHS and redhat definitely doesn't but doing so gives more of a nice consistent experience to any technician, sys admin or sys engineer.

[-] Contort3860@links.hackliberty.org 5 points 1 month ago

Mostly my reasons for avoiding Fedora as well. But if someone else ends up on Linux due to Fedora then it's still better than Windows.

I might not like it but it might, sadly, be perfect for someone else.

[-] toasteecup@lemmy.world 3 points 1 month ago

That's a fair way to think about it and I think I'd agree with you on it's better that someone is on Linux even fedora than Windows but for myself I'd take windows over fedora. Appreciate you engaging respectfully.

this post was submitted on 01 Oct 2024

84 points (96.7% liked)

Linux

5187 readers

77 users here now

A community for everything relating to the linux operating system

Also check out !linux_memes@programming.dev

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 1 year ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev