On Tue, 20 Apr 2021 14:13:19 -0400 Dan Ritter <[email protected]> wrote:
... > Packages in unstable are freshly compiled and have no security > support. You should expect them to change rapidly, have major > bugs, and not have those bugs fixed quickly. To clarify: while it is true that "there are no security updates for unstable" and that "The fact is that some security issues might appear in unstable and not in the stable distribution. This is due to new functionality constantly being added to the applications provided there, as well as new applications being included which might not yet have been thoroughly tested." it is also true that "When a security fix is prepared, the Security Team backports the patch to stable (since stable is usually some minor or major versions behind). Package maintainers are responsible for preparing packages for the unstable branch, usually based on a new upstream release. Sometimes the changes happen at nearly the same time and sometimes one of the releases gets the security fix before. Packages for the stable distribution are more thoroughly tested than unstable, since the latter will in most cases provide the latest upstream release (which might include new, unknown bugs). Security updates are available for the unstable branch usually when the package maintainer makes a new package and for the stable branch when the Security Team make a new upload and publish a DSA." https://www.debian.org/doc/manuals/securing-debian-manual/ch10.en.html#id-1.11.2.5 So while it's true that unstable doesn't get dedicated security support, it's an open question as to whether unstable or stable will get any given security fix first. Celejar
