https://security-tracker.debian.org/tracker/CVE-2024-47176, archive

As of 10/1/24 3:52 UTC time, Trixie/Debian testing does not have a fix for the severe cupsd security vulnerability that was recently announced, despite Debian Stable and Unstable having a fix.

Debian Testing is intended for testing, and not really for production usage.

https://tracker.debian.org/pkg/cups-filters, archive

So the way Debian Unstable/Testing works is that packages go into unstable/ for a bit, and then are migrated into testing/trixie.

Issues preventing migration: ∙ ∙ Too young, only 3 of 5 days old

Basically, security vulnerabilities are not really a priority in testing, and everything waits for a bit before it updates.

I recently saw some people recommending Trixie for a “debian but not as unstable as sid and newer packages than stable”, which is a pretty bad idea. Trixie/testing is not really intended for production use.

If you want newer, but still stable packages from the same repositories, then I recommend (not an exhaustive list, of course).:

  • Opensuse Leap (Tumbleweed works too but secure boot was borked when I used it)
  • Fedora

If you are willing to mix and match sources for packages:

  • Flatpaks
  • distrobox — run other distros in docker/podman containers and use apps through those
  • Nix

Can get you newer packages on a more stable distros safely.

    • al4s@feddit.org
      link
      fedilink
      arrow-up
      4
      arrow-down
      5
      ·
      1 month ago

      I mean you’d still expect that critical security fixes would land in testing, no?

      • uiiiq@lemm.ee
        link
        fedilink
        arrow-up
        14
        ·
        1 month ago

        Why bother? Backporting security updates or updating packages is work and in case of debian often unpaid. Trixie is for testing new packages and configurations, does not make a ton of sense to keep everything up to date.

      • lurch (he/him)@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        1 month ago

        it would be nice, but i only expect them to arrive with the regular package updates, i.e. when a new version of cups with the fix in it is released, not an extra quicker fix from the distro maintainer.

  • Scoopta@programming.dev
    link
    fedilink
    arrow-up
    14
    ·
    1 month ago

    How are fedora or SUSE valid alternatives “from the same repos”? They’re not even based on Debian or Debian repos?

    • moonpiedumplings@programming.devOP
      link
      fedilink
      arrow-up
      2
      ·
      1 month ago

      Sorry. I meant if you wanted to use only packages from one set of repositories/one distro, for if you were looking for lower level packages like the kernel or desktop environment to be updated.

  • Lvxferre@mander.xyz
    link
    fedilink
    arrow-up
    12
    ·
    edit-2
    1 month ago

    Yeah, using Testing directly is a bad idea. Instead pick a distro based on Testing - like LMDE (Linux Mint Debian Edition); or if you really need bleeding edge use Sid instead, but be aware that it was named after the child who breaks toys for a reason.

    EDIT - as the comments say LMDE is based on Stable. In my defence when I used it it was still based on Testing. (And it was a rolling release. Yup, LMDE “1” times.)

    • Scoopta@programming.dev
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      1 month ago

      Maybe it’s just been good luck, or maybe I pay enough attention to what apt is going to do and know how to deal with it but I’ve been daily driving sid for years and am convinced it’s more stable than arch based on friends I have that run arch…maybe it’s just I’m more experienced but it really doesn’t break that much. Obviously ymmv.

      • Lvxferre@mander.xyz
        link
        fedilink
        arrow-up
        4
        ·
        1 month ago

        I think that it’s partially due to Debian’s focus on stability. If they call it “stable” it’s rock solid; if they call it “unstable” it’s still fairly usable, it’s just the 0.1% odds that it’ll evoke Cthulhu in the process.

        In my Sid times I managed to break it, but to be fair it was more like a Frankendebian at that point.

    • moonpiedumplings@programming.devOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 month ago

      Linux mint debian edition is not based on testijg, but rather on stable*.

      This misconception may be caused by the fact that the latest debian stable, has newer packages than many of the older-but-not-ancient ubuntu releases, which were originally based off of debian sid.

      *I cannot find a first party source for this, only third party

      Linux Mint Debian Edition 6 hits beta with reassuringly little drama. Think Debian 12 plus Mint’s polish and a friendlier UX for non-techies

      https://www.theregister.com/2023/09/13/linux_mint_debian_edition_hands_on/

  • 0x0@programming.dev
    link
    fedilink
    arrow-up
    4
    ·
    1 month ago

    Stick to stable for production. Patches for vulnerabilities will go to stable asap. That’s where you want them, not testing or unstable.

  • toasteecup@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    16
    ·
    1 month ago

    I would sooner use Windows before using Fedora. Fortunately, Linux Mint or Ubuntu exist instead.