this post was submitted on 01 Oct 2024
80 points (96.5% liked)

Linux

5212 readers
60 users here now

A community for everything relating to the linux operating system

Also check out [email protected]

Original icon base courtesy of [email protected] and The GIMP

founded 1 year ago
MODERATORS
 

https://security-tracker.debian.org/tracker/CVE-2024-47176, archive

As of 10/1/24 3:52 UTC time, Trixie/Debian testing does not have a fix for the severe cupsd security vulnerability that was recently announced, despite Debian Stable and Unstable having a fix.

Debian Testing is intended for testing, and not really for production usage.

https://tracker.debian.org/pkg/cups-filters, archive

So the way Debian Unstable/Testing works is that packages go into unstable/ for a bit, and then are migrated into testing/trixie.

Issues preventing migration: ∙ ∙ Too young, only 3 of 5 days old

Basically, security vulnerabilities are not really a priority in testing, and everything waits for a bit before it updates.

I recently saw some people recommending Trixie for a "debian but not as unstable as sid and newer packages than stable", which is a pretty bad idea. Trixie/testing is not really intended for production use.

If you want newer, but still stable packages from the same repositories, then I recommend (not an exhaustive list, of course).:

  • Opensuse Leap (Tumbleweed works too but secure boot was borked when I used it)
  • Fedora

If you are willing to mix and match sources for packages:

  • Flatpaks
  • distrobox — run other distros in docker/podman containers and use apps through those
  • Nix

Can get you newer packages on a more stable distros safely.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 1 month ago (2 children)

I mean you'd still expect that critical security fixes would land in testing, no?

[–] [email protected] 14 points 1 month ago

Why bother? Backporting security updates or updating packages is work and in case of debian often unpaid. Trixie is for testing new packages and configurations, does not make a ton of sense to keep everything up to date.

[–] lurch 0 points 1 month ago

it would be nice, but i only expect them to arrive with the regular package updates, i.e. when a new version of cups with the fix in it is released, not an extra quicker fix from the distro maintainer.