Hi, On 2024-03-30 10:49, Jonathan Carter wrote: > Another big question for me is whether I should really still > package/upload/etc from an unstable machine.
I have been using unstable myself on most of my systems for the past several years. There are many advantages, including being able to actually test Debian as many have said in this thread. Case in point, the xz backdoor has been discovered by a Debian unstable user: it would have likely been found much later had they used stable instead. Without trying to be overly dramatic though, I consider the xz incident as some sort of 9/11 of Linux distros. Everyone knew it could have happened, but now that it has and we see how relatively easy it was I think it's time to re-evaluate things. I now do not think anymore that sid is secure enough for high-profile targets such as DDs. All it takes is one bad upload, and your systems are immediately compromised. Sure bad stuff can eventually make it to stable as well, but the longer it takes the more likely for the malicious change to be spotted. Other than the time aspect, there's the problem of binary uploads too. How long would it take to spot a well crafted, malicious binary upload to sid?
