On 22 Jul 2024 18:10 -0400, from noloa...@gmail.com (Jeffrey Walton): > A perfect case on point is "TTY1 layer bug", > <https://thenewstack.io/design-system-can-update-greg-kroah-hartman-linux-security/>. > Folks thought it was benign, and did not patch it or port existing > patches. It was one of those accumulated bugs that would get cleared > at the next major release. Then, years after it was disclosed, someone > figured out it was exploitable.
Considering that major Debian releases happen about once every two years, and running Stable is encouraged for most users over either Oldstable, Testing or Unstable, and that the bug was believed not exploitable for "years" (plural), it seems like people would have had time to upgrade to a release incorporating a fixed version _before_ "someone figured out [the bug] was exploitable". Is it great? Not really. Whether or not a bug is exploitable in a security sense is unrelated to whether someone has publicly announced that it is. On the flip side, look at the kernel developers; nowadays _every_ kernel bug gets a CVE whether or not it's believed possible to exploit, on the assumption that a bug in the kernel _might_ be exploitable and _might_ result in some sort of security compromise. (By "security" here I am referring primarily to the C-I-A triad: loss of one or more of confidentiality, integrity or availability.) Hence the dozens of CVEs listed in every Debian kernel upgrade announcement. If you want something resembling a rolling release, nothing prevents you from running Testing (but you lose out on specific security support; you'll probably get an updated package sooner than if you were running Stable, but you probably won't get security fixes quicker than those trickle out to Stable) or even a distribution which _does_ do a rolling release. Or you could use something like the non-LTS Ubuntu versions, or perhaps Fedora, upgrading every half year or so. Debian's approach of largely frozen major releases and minor updates to those has advantages and disadvantages. Its primary upside IMO is stability. How often does an upgrade within a Debian Stable major version break anything? (_Very_ rarely.) The nice part is that if that isn't for you, you can choose something which better suits your needs. -- Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”
