diff --git a/content/os/Choosing Your Desktop Linux Distribution.md b/content/os/Choosing Your Desktop Linux Distribution.md index 66ca482..b4f81a7 100644 --- a/content/os/Choosing Your Desktop Linux Distribution.md +++ b/content/os/Choosing Your Desktop Linux Distribution.md @@ -12,6 +12,10 @@ You should choose a distribution which stays close to the stable upstream softwa For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such [example](https://www.debian.org/security/faq#handling)) rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. +In fact, in certain cases, there have been vulnerabilities introduced by Debian because of their patching process. [Bug 1633467](https://bugzilla.mozilla.org/show_bug.cgi?id=1633467) and [Bug 1679430](https://bugzilla.mozilla.org/show_bug.cgi?id=1679430) are examples of this. + +![Upstream - Distros Gap](/upstream-distros-gap.png) + Holding packages back and applying interim patches is generally not a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: {{< youtube id="i8c0mg_mS7U">}} diff --git a/static/upstream-distros-gap.png b/static/upstream-distros-gap.png new file mode 100644 index 0000000..1fabea9 Binary files /dev/null and b/static/upstream-distros-gap.png differ