On Mon 22 Jul 2024 at 18:10:24 (-0400), Jeffrey Walton wrote: > On Mon, Jul 22, 2024 at 5:41 PM Andy Smith <a...@strugglers.net> wrote: > > On Mon, Jul 22, 2024 at 01:38:07PM +0500, 타토카 wrote: > > > [...] > > > 4. As I know Debian Sid does not have some packages like Arch, why? They > > > have rolling releases? I mean packages, for example, hyprland. > > > > Debian sid is not a rolling release. Debian does not have a rolling > > release. Additionally, Debian sid isn't a release of any > > description. > > > > You should not be using Debian sid. > > I wish Debian had a rolling release. Years between releases means > software will get stale and accumulate bugs that will lead to > vulnerable and exploitable hosts on the network. > > A perfect case on point is "TTY1 layer bug", > <https://thenewstack.io/design-system-can-update-greg-kroah-hartman-linux-security/>. > Folks thought it was benign, and did not patch it or port existing > patches. It was one of those accumulated bugs that would get cleared > at the next major release. Then, years after it was disclosed, someone > figured out it was exploitable. > > A rolling release of 6 months would have cleared the bug close to the > time it became known. It would not have festered for years. > > Fixing a bug close to when it becomes known is evidence of a [more] > secure system. That's because most compromises happen three or six > months after the bug was disclosed and patches were available. And the > compromises continue for years afterwards. Confer, > <https://www.cs.umd.edu/~waa/pubs/Windows_of_Vulnerability.pdf>.
I'm not sure what your point is. This article was written in 2016, at which time jessie was the stable release and wheezy was oldstable. The kernel version in wheezy was 3.2. The article says: "However, running old kernel doesn’t mean it’s a bad thing. There are genuine reasons why people do run older kernels, and that is why Linux maintains LTS releases, updating them, largely thanks to Kroah-Hartman’s coordination work, with bug fixes long after the bulk of development work has moved on to newer versions of the kernel. But what good is fixing those older releases if companies are not pushing the patches to their Linux-dependent devices? "Over four years old, the 3.2 kernel is an LTS release and still is getting two fixes a day and being updated on a regular basis: Kernel developer Ben Hutchings is doing a release every other week. The Debian community is doing an excellent job at taking those patches and keeping it updated. "“A non-profit organization built of volunteer people is doing a better job than some of the largest Linux providers out there. That’s insane. That’s bad. Base yourself on Debian or update your kernel overtime,” Kroah-Hartman said." The machine I'm typing on is running bullseye and was installed with linux-image-5.10.0-13-amd64. It's running linux-image-5.10.0-31-amd64 now, so that's 22 different versions over 27 months, and a lot of work put in by the Debian Kernel Team, thanks. I think Kroah-Hartman's praise still applies. Cheers, David.
