On Sat, Jan 18, 2025 at 07:12:30PM +1100, George at Clug wrote: > > Thanks Roberto, and others who tried to explain Backporting, I will > need to read this and think about it for a while. > > To make comment, I stay away from FlatPacks (the MS world tried this > kind of technology once, I wonder if they still do)? > > I prefer stability and hence Debian Stable with its "not rolling > release". Even if I don't have yesterday's release, so far that has > not been an issue I cannot get around. > > Nothing is "secure", just maybe more secure that other ways. > Nothing is "stable", just maybe more stable than other ways. > The notions of "secure" and "stable" require that you define those terms for your specific use case. "Secure" means one thing if your threat model is jackbooted thugs crashing through your door in the middle of the night while you sleep and it means something different if your threat model is script kiddies selling their services via task rabbit or something like that and something else if you are concerned about trusted insiders exploiting your data.
A similar concept applies for "stable". Sometimes "stable" means "behavior does not change, to the maximum extend possible" and other times it means "new features are deployed in order to continue being able to interoperate with some other system". The general threat model for "secure" in Debian (as in how the Security Team tends to approach assessment and remediation of vulnerabilities) tends to lean in the direction of prioritizing vulnerabilities with remote exploitability and those which do not require authenticated access (or low privileges). And for "stable" it definitely leans hard toward "no behavior change at all when possible, and only minimal change when change is unavoidable". If your needs for "secure" and "stable" don't line up with how the Debian Security Team approaches those things, then it is worth considering alternatives. I hope this helps you to understand the overall approach. Regards, -Roberto -- Roberto C. Sánchez
