And honestly, for desktops, Debian testing is plenty stable IME and stays quite up to date. It's what I've run on my laptop for years with absolutely no issues.
Debian Testing is the least secure Debian distribution:
- "Please note that security updates for 'testing' distribution are not yet managed by the security team. Hence, 'testing' does not get security updates in a timely manner."[1]
- "Compared to stable and unstable, next-stable testing has the worst security update speed. Don't prefer testing if security is a concern."[2]
- "[Testing's] security updates are irregular and unreliable."[3]
Most Debian users should use Stable. If a user wants a newer version of some software, they should write a Bash script to install it from source. When I used Debian Stable on the desktop, my installers allowed me to have the latest versions of all of the software of which I wanted the latest versions.
If a Debian user wants up-to-date software but they don't want to write their own installers, they should consider using Fedora instead.
Yes. I know. For a desktop, bluntly, no, security is not a primary concern (I've also turned off spectre mitigations and so forth), and stable is waaaay too stable for desktop usage.
Frankly, this kind of purist ideology--to the point of suggesting people use a different distribution--is simply ridiculous.
For servers I'm running on the open internet, yes, you are absolutely right. But in that case I just run stable.
The choices aren't some purist notion of "secure" versus "not secure".
Security is a spectrum of practical choices informed by threat models, and it's only one (certainly important!) aspect of the complex choice of selecting an operating system.
For example, I would absolutely advise my mother in law to write complex passwords on sticky notes. She's far more likely to fall victim to credential stuffing than to have her apartment broken into and her passwords stolen, and I accept that trying to get her to use a password manager would certainly fail and she'd just fall back on reusing simple passwords.
A security purist who thinks in terms of "secure" or "not secure" would scoff that this. Writing down passwords! That cannot be done!
But given the threat model and an acceptance of expected user behavior, it's a perfectly valid choice.
If I'm running a Linux desktop, I've already made a more secure choice by getting out of the firing line of typical untargeted malware.
With some additional basic security hygiene, the greatest threats are a) phishing/social engineering, for which zero days aren't the primary concern, or b) targeted attacks where clearly they are.
As I'm not a target of interest, I'm not too terribly worried about the latter. As for the former, distro choice doesn't make much of a difference.
So yeah, given that threat model, I'm comfortable waiting the few days it takes for security fixes to trickle down from sid to testing. And if I really cared, I'd follow the guidance mentioned in one of the links you posted, and just pull patches down from sid on an as-needed basis.
Switching to a completely different distro, by contrast, would be a ridiculous overreaction give the context and associated trade-offs.
Pretty darn up to date. Tbh I think it's not unusual for it to be more to date than the current Ubuntu stable (which I thought started out as a snapshot of Sid).
As for proprietary drivers, the non-free repos have traditionally carried everything I need.
