https://security-tracker.debian.org/tracker/CVE-2024-47176, archive

As of 10/1/24 3:52 UTC time, Trixie/Debian testing does not have a fix for the severe cupsd security vulnerability that was recently announced, despite Debian Stable and Unstable having a fix.

Debian Testing is intended for testing, and not really for production usage.

https://tracker.debian.org/pkg/cups-filters, archive

So the way Debian Unstable/Testing works is that packages go into unstable/ for a bit, and then are migrated into testing/trixie.

Issues preventing migration: ∙ ∙ Too young, only 3 of 5 days old

Basically, security vulnerabilities are not really a priority in testing, and everything waits for a bit before it updates.

I recently saw some people recommending Trixie for a “debian but not as unstable as sid and newer packages than stable”, which is a pretty bad idea. Trixie/testing is not really intended for production use.

If you want newer, but still stable packages from the same repositories, then I recommend (not an exhaustive list, of course).:

  • Opensuse Leap (Tumbleweed works too but secure boot was borked when I used it)
  • Fedora

If you are willing to mix and match sources for packages:

  • Flatpaks
  • distrobox — run other distros in docker/podman containers and use apps through those
  • Nix

Can get you newer packages on a more stable distros safely.

  • al4s@feddit.org
    link
    fedilink
    arrow-up
    7
    ·
    2 months ago

    I mean you’d still expect that critical security fixes would land in testing, no?

    • uiiiq@lemm.ee
      link
      fedilink
      arrow-up
      13
      ·
      2 months ago

      Why bother? Backporting security updates or updating packages is work and in case of debian often unpaid. Trixie is for testing new packages and configurations, does not make a ton of sense to keep everything up to date.

    • lurch (he/him)@sh.itjust.works
      link
      fedilink
      arrow-up
      1
      ·
      2 months ago

      it would be nice, but i only expect them to arrive with the regular package updates, i.e. when a new version of cups with the fix in it is released, not an extra quicker fix from the distro maintainer.

    • cqst
      link
      fedilink
      arrow-up
      1
      ·
      2 months ago

      I mean you’d still expect that critical security fixes would land in testing, no?

      they get there, just after uh, 5 days usually. things change during the soft freeze as the migration time gets even longer

      testing is not really meant to be used in that way, you can think of testing of “what would the next debian stable look like if it was released today?” as the versions in debian stable are meant to be frozen, those that are in testing are meant to be tested at that version.