Hi Paul, On 25/05/2022 02:10, Paul Wise wrote:
bullseye-updates: receives occasional time-sensitive and important updates, such as updates to the timezone database, which often happen just days before the timezone changes, or fixes for packages that get completely broken by some external services on the Internet, or fixes for packages that were initially broken but that wasn't found.
All what you described here is not important for OP who wants to reduce his attack surface from malicious developer attack scenario. And I argue, not important for typical security conscious home user either.
There are only three updates in it currently, two of them are updates to the timezone database and one is clamav, which sometimes needs updates so it can continue to pull in antivirus detections.
All of them will land in "bullseye" repository on point release. Correct? My system will learn timezone changes in (for example) Barbados, Seychelles or elsewhere when time comes for point release. I don't need it now, I don't live there. Same goes when user does not use ClamAV: No need for antivirus definitions. And when very rare occasion will occur that software in Stable will suddenly broke due to server side updates of some software, user can always stop, think and investigate. No need to keep bullseye-updates enabled 24/7/365 and never use it (if we exclude timezone updates, antivirus definitions, there is nothing really urging users to enable this repository). This would be widening exposure surface without any real benefit. Situation like this happened recently, Telegram has cut-off old client versions on server side, Telegram bullseye stopped working. Soon after maintainer dropped new Telegram to bullseye-backports, so people could upgrade in controlled fashion. Please notice that having bullseye-updates would not help in this example.
https://deb.debian.org/debian/dists/bullseye-updates/main/source/Sources.xz bullseye-proposed-updates: the contents of the next point release; some changes come from bullseye-security, some from bullseye-updates and some from package maintainers.
That's Stable's "beta testing" for sure. I didn't mentioned that to the OP, I don't use it myself.
https://release.debian.org/proposed-updates/stable.html
-- With kindest regards, Piotr. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄⠀⠀⠀⠀
