Hi.

I love having fresh packages. To work around the oldness of Debian
stable, I have installed dozens of packages from buster-backports; 81
packages from Guix; 12 Flatpak applications (excluding runtimes); 20
pip3 packages (excluding their dependencies); and ≃10 npm packages
(excluding their many dozens of dependencies).

The complementary package managers do not quench my thirst for
freshness, so I would like to upgrade Debian to bullseye. Now that the
freeze has started, is it a good time to upgrade my personal notebook?
Should bullseye, by now, be relatively stable and, more importantly,
secure enough?

I do not run any server; it is a personal laptop behind NAT---at least
for IPv4 (I don't know the details of IPv6). I am subscribed to `debian-security' and am willing to manually pull specific packages from /unstable/ for security reasons. That is, when a /testing/ package in
my installation has a serious security vulnerability, I am willing to
upgrade it to the security-fixed version from /unstable/ instead of
waiting for it to propagate to testing.

In this context, is bullseye secure enough?

Regards

--
- <https://jorgemorais.gitlab.io/justice-for-rms/>
- If an email of mine arrives at your spam box, please notify me.
- Please adopt free/libre formats like PDF, ODF, Org, LaTeX, Opus, WebM and 7z. - Free/libre software for Replicant, LineageOS and Android: https://f-droid.org - [[https://www.gnu.org/philosophy/free-sw.html][What is free software?]]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --82rCg6OSqxkaeZKxAXMST01xPvLcWMflR
Content-Type: multipart/mixed;
boundary="------------9F95A038681D4408AD8343ED"
Content-Language: es-AR

This is a multi-part message in MIME format. --------------9F95A038681D4408AD8343ED
Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable

Hey!

I have a couple of notebooks, a VM and like ~30 servers running debian testing for 2 years now.
My experience says you can count on stability.
I have not detected any security issues yet... I'm also subscribed to debian-security, most of the announcements on the list are already solved on by
the packages on bullseye.

regards
lucas

El 14/1/2021 a las 10:44, Jorge P. de Morais Neto escribió:

Hi.

I love having fresh packages. To work around the oldness of Debian
stable, I have installed dozens of packages from buster-backports; 81 packages from Guix; 12 Flatpak applications (excluding runtimes); 20
pip3 packages (excluding their dependencies); and ≃10 npm packages (excluding their many dozens of dependencies).

The complementary package managers do not quench my thirst for
freshness, so I would like to upgrade Debian to bullseye. Now that the freeze has started, is it a good time to upgrade my personal notebook?
Should bullseye, by now, be relatively stable and, more importantly,
secure enough?

I do not run any server; it is a personal laptop behind NAT---at least
for IPv4 (I don't know the details of IPv6). I am subscribed to `debian-security' and am willing to manually pull specific packages from /unstable/ for security reasons. That is, when a /testing/ package in
my installation has a serious security vulnerability, I am willing to
upgrade it to the security-fixed version from /unstable/ instead of
waiting for it to propagate to testing.

In this context, is bullseye secure enough?

Regards

--------------9F95A038681D4408AD8343ED
Content-Type: application/pgp-keys;
name="OpenPGP_0x5F728F317E3A75D2.asc"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="OpenPGP_0x5F728F317E3A75D2.asc"

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBF+bMAMBEADS7v6ZmMjZ4j91uQNMk4yxwUjOQjWbaxWs29XM8G0aZU+ybRYXPFyEZNdjNPyt /C5xJ7HRAuFNunrN6yhz5a5YPoSKh1umeFlqDMXb7T9odg85NINjHzautoQAmflm2APCf4+ctSx3 iAO04YLpUu1d8fsQBUoVhtQvwx1J1QRlAQHSP3aEPaLSwgx+m3GJChWcX98e5dbpAlMIJOwfvwR9 qGwIJGCT4duhGrTLj7WsJ5mNZeEEf/MJjYDu4vklucF/W4zuwxopTgwH2TZt1StjwHJT/zsZrqiC giqjWs76NgMQFxFBVRgJIfkINvtiZSShz2L4JSOUEIq0z6ervPa7/zGCEe9igzWtTdwvjQDIapci wQEQRU1SkR01vwYCpVKfdAsBu8nINZ9zDSXU9xRKy15GzQh8aYT4qPOGHnsk+tLF34HwlTusiCqn LsTyc4Dv/yrDGQ8zg/o7c+IDW7jnm5QdqGEhwzj1qQhWtU3jFmeRFOfAe6H3MF3SIXWbapCpsfWy v3TYP5oofO/cy39Gc07JAKv7kpBwYCBT1Ym7wxPLILVxVZ76X1bV8Sux4dzI8vboif6s+uY4BBq5 wA7CFsXCsHg1twEwqHa4+bKkEVdaeeP7aST8MLyEhbqhQPw5Fj71wN+FiIWY+c1zWM4P4BgyMx1P pMdj9rW9MkHnnwARAQABzR9MdWNhcyBkYSBWaWxhIDxsZGF2aWxhQHN5dC5uZXQ+wsGPBBMBCAA5 FiEEyIqaGLkeKX8Z5JOLX3KPMX46ddIFAl+bMCYFCQWjmoACGwMFCwkIBwIGFQgJCgsCBRYCAwEA AAoJEF9yjzF+OnXSIfYP/RuCg+zifTBljeHFs0//3a3AQdtX2gxHL887LsfXY4fcuqT3BQaYzFYd kDQKn3p8HpZWdJt/c8bPlxELD2jNa8yKHu2W7eJnuQFik4YGlFihEHyGvtyzAVGB4nEzQBlt8+ju 6sPhbszxJsHBNiCtaCfDwYOuCG9Rx4nYUORIOeGRQNLYKDOnt+7DSKGfpTvpLfUlkWyWXQ6cZmx3 mn6oNeoAvaMRFgIY2RR5KgcJZJq3f+/nBWW05ke/UDm7LhnHZIKmbbwN8J45UBCE4Ai2emLls3O2 o2YnXJ9dHzLjkC1a8gPs9yMvmIO/sqO/13ZoaBHeTiwCv6qLuZ7XoHB14/v+PbFVXpzNXMJGG3ld hJTPqY+mshUTMgZVVBviAhWYt6kRUBDa99QRWnj6mcXGJgshWVsCnO4k+C/DBaRQyG1Uri9Kn3rr MHd7Dj5YtdTV298dEXvkLcog8n0FDHopEI/rwUOZIbGatBfK91f0uGj4w9LlNh9PWt2f5kNLDPzi 1smhS1MCG2t6kojUXAEuMD4iXC1Qv8uSO1e00CwmvVQAOwvX5o0Gq+XbldkRdMqDezaxc/0PToph mDG5hJjxbB1jyazCE75F4GI8ZGyn5yxdlMUGokONvCEeWPT7CLwv7w1y4Pwr8OTWgWqk2ZZUhfII pBHK8n3B/G/HeXiVl52SzsFNBF+bMCcBEADQqGyH1+HcEL+a6rppBkqJZMzX7b0388d4WOxnV7IH AApjtkt7J7RcslKX7/PD7FMS8/uGMPz40JA028fdLtWZzUX2IrT0JdITNJYFk7SQ8d/YP7+j4ZWX 4I46c2CWrolzwpNeVenmPUHyK0wDcr06Ot5blRBTxYyZpOFatAxd6+gE2Vx5N23fWvG9R21d3NJ6 o9/hW6v0/qBrPD4JULSCMp1UjySKaw/6hluVle4zBlmlf1I460sZbjOsmjmWPSGnXbO51x4E4Sgu u+4BJ+RyiFKrxs0K5X0py7Rsas689AEfwMH4ocw6RZmqGgs56maVxpWv5nkVMK47HBigjA6uQF5K CytQ3C3j5dZ4XGXxDjBxG/8yiVofIhkiimeA+5UDn3BYCEuS+cGaQOfMsaAcg9Eqb6fyNte706a0 7H6lmXE5t2c4UEPwKMG9cmRQPkUinIserL+A6uw17RP6fVaNeFs7uWGslEWZLy14y/0WY60Ga6e0 LrD12G8L+Nc8LKWIhYKDPHIR3LuLgfbb9yn22BvrAgo5I/GUaKTB9jMZcanyU1urNSLtO90nTSVG iZt7Q/EdnhRP/6qCY4Mp/43oyovP31xRhqUs44gJgjrQXTGqzVTWK48CRzhw+051e1VLd2dazsS/ cAWhuUAS8mt7H5G4vAsuIOvms/DU3P7zkQARAQABwsF8BBgBCAAmFiEEyIqaGLkeKX8Z5JOLX3KP MX46ddIFAl+bMEwFCQWjmoACGwwACgkQX3KPMX46ddK0iRAAvrIkjbNPhY/EA6dFpuXXWSS/7UOv reisBauSxTcWQbhW2LdfrgNM6mY0BgXFR798quxwN3T+u21+iPNWUMWEPFqInoC8kteMw3Sd49Sd zlTbEKk5xKFo3ataB6awwAfaYEbl7tFkfq96cqi2SBZxptT0rlDVwudeZ7gdJ7fUmnRPhXYkiJa7 Tib/HEZg75PWWMlCj1jReCYwHRxLf6CIY1qAi8SPln23vFcmINRvC2hftLqOgHDgdEVtBSDufZly ewqFL84Mmk5P/JW7PSTeE7p3N93rfTAfFeSc3G+RWt7HoHTgQym69fZa4GKgcFXemaz4DwfyN/eQ 4O4dWXpmd0mKRhIa3ysxF1JDH2wQTajvqC4B9VNs+JeZLfCZ9NfvdMC/czQCkJeSc4KUsYaL6eJZ psnrzNBJuV6HdL5OYFYPrnrWAwcWbyryc/tz/R1mXjpuViNVR5XVlXpo+ey/Jms+NPodNJYk4GR7 sUp2UeSXJGhTALbTi+UcGopChPHKyEogp3C+umiBMfR24os8YbGu9Mf/gbRbI5oslGjSQxOiuQDW 5JXlzOSNcoS95UVMXG9t7O3WH8lizaonmIdz4epv+lWZVuMaBrW7z4OFgCwjl/W9/7UvhSnMHDb6 aQkyWd3e9bJ2vyo9AEacbeEx376A6/5fcDzC47tkoIgXyUg=
=T7Y3
-----END PGP PUBLIC KEY BLOCK-----

--------------9F95A038681D4408AD8343ED--

--82rCg6OSqxkaeZKxAXMST01xPvLcWMflR--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEyIqaGLkeKX8Z5JOLX3KPMX46ddIFAmAAUxAFAwAAAAAACgkQX3KPMX46ddKr Wg/+McdUIBthsI/TIRLRkJ4y2aq2BKlWWf1mSZcmSLa7iYI3M65rezLurUGk07OvdJBo5Kp0UC5s fdaetrVDLTfhlbWPC5MnAlAaSVYyMJuZqwQJzie9sdXBSdy/Wrvvb9cW+AHIhi/EVjH9KG332EQ/ wPlWNQGG+B6uHdY84NsIEZ9a3VsPKTMHiZK4jwAMJbK/iSvYb4skt10XKL0LCqKn591iwsbJsbm8 cZvFzXM2TH+0zujOSwNP+UGkD5Fcf4VDqyqE47nLytMCjZ5FVDLq+kb44nGfCxesC9q/b4qfebxe DsDAdDvKC42JOUVaM/7J/CIsaB6OA0Tt1YlMiPUQckat6Bbzzic0i9BQUYDxn8Zh+PcHjprAB2hL De54JC6HQ86AVwpS4BO5Yd0oLzz+gAxCNISjZ7wET7VXHTPWttvT3USvkJoW7omh04bxviOQHVql nzJwNIKWVFznTCgfi/svBxrD0cbNqoBg8Ucv2txOI7ovO/1UaQDIW3UdiujsAAWO5dBhhnraIdjE ehu6dhpSqxCBP8TUBM8LUQtzWsycuE5Jv5zrH7LOqdOc46RsWOgDAc9RH4CTONRxMwc2BidRx9gW hFSl7rzZy6EAJsl62/PBrtTDrpBI1aECgm7oPP9oJhoGCRhOwbmOL32f4nwVbi7QkKAGFrl7ZjSu BeE=
=LP9r
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

I can only agree, running some Bullseye systems as well since Buster was released, not facing any relevant issues.

Generally, I think that Debian testing is not necessarily less secure
than Debian stable at any time. Newer software/package versions on
Debian testing may contain newly introduced security vulnerabilities
(e.g. with new upstream features, or less reviewed implementations)
which may be in balance with fixed old security vulnerabilities, which
are usually patched into Debian stable packages with short delay. But
newer software/package versions as well make use of newer
security/encryption protocols and standards. For the same reason I as
well would not rate Debian necessarily more secure than a
rolling-release distro.

The main difference IMO is the reliability and stability, as all
packages on Debian stable have been much tested to be compatible with
each other and no breaking changes happen when doing APT upgrades that
would require configuration or setup changes to maintain the
functionality of your system. Especially for server systems with
multiple server daemons depending on each other, which must have at best
zero downtime, while still doing regular security upgrades/backports,
this is of high value. For a client system (no server), as long as you
are able to use the console in case some mistake has happened, I
personally would always use Debian testing right from the start. That
way you do not need to mess with mixing repo suites (stable, testing, unstable).

And as you mention "unstable"/sid: Do not use it if it's not for testing
(I mean help testing new package implementations on a test system) or development reasons. It's easy to run into a dependency mess or that
suddenly large parts of the system are upgraded to sid packages. It's a development playground, not meant for production systems. It should be
pretty fine to wait until a certain software version has reached the
"testing" (currently Bullseye) suite, where dependency integrity and a
basic testing by maintainers has been done already.

Kind regards,

Micha

Am 14.01.2021 um 15:20 schrieb ldavila@syt.net:

Hey!

I have a couple of notebooks, a VM and like ~30 servers running debian testing for 2 years now.
My experience says you can count on stability.
I have not detected any security issues yet... I'm also subscribed to debian-security, most of the announcements on the list are already
solved on by the packages on bullseye.

regards
lucas

El 14/1/2021 a las 10:44, Jorge P. de Morais Neto escribió:

Hi.

I love having fresh packages.  To work around the oldness of Debian
stable, I have installed dozens of packages from buster-backports; 81
packages from Guix; 12 Flatpak applications (excluding runtimes); 20
pip3 packages (excluding their dependencies); and ≃10 npm packages
(excluding their many dozens of dependencies).

The complementary package managers do not quench my thirst for
freshness, so I would like to upgrade Debian to bullseye.  Now that the
freeze has started, is it a good time to upgrade my personal notebook?
Should bullseye, by now, be relatively stable and, more importantly,
secure enough?

I do not run any server; it is a personal laptop behind NAT---at least
for IPv4 (I don't know the details of IPv6).  I am subscribed to
`debian-security' and am willing to manually pull specific packages from
/unstable/ for security reasons.  That is, when a /testing/ package in
my installation has a serious security vulnerability, I am willing to
upgrade it to the security-fixed version from /unstable/ instead of
waiting for it to propagate to testing.

In this context, is bullseye secure enough?

Regards

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Em [2021-01-14 qui 16:08:43+0100], MichaIng escreveu:

I can only agree, running some Bullseye systems as well since Buster was released, not facing any relevant issues.
[...]

Thank you Micha and lucas. I have then upgraded my notebook to bullseye
and so far it has been pleasant indeed.

And as you mention "unstable"/sid: Do not use it if it's not for
testing (I mean help testing new package implementations on a test
system) or development reasons. It's easy to run into a dependency
mess or that suddenly large parts of the system are upgraded to sid
packages. It's a development playground, not meant for production
systems. It should be pretty fine to wait until a certain software
version has reached the "testing" (currently Bullseye) suite, where dependency integrity and a basic testing by maintainers has been done already.

So you recommend avoiding sid even for specific package minor-version
upgrades with security fixes?

The Debian wiki says otherwise. See https://wiki.debian.org/DebianTesting#Best_practices_for_Testing_users

I currently follow the Debian wiki advice. I carefully monitor the list
of installed packages from unstable, to avoid unintended upgrades.

Regards

--
- <https://jorgemorais.gitlab.io/justice-for-rms/>
- I am Brazilian. I hope my English is correct and I welcome feedback.
- <https://www.defectivebydesign.org/>
- <https://www.gnu.org/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

So you recommend avoiding sid even for specific package minor-version upgrades with security fixes?

The Debian wiki says otherwise. See https://wiki.debian.org/DebianTesting#Best_practices_for_Testing_users

I currently follow the Debian wiki advice. I carefully monitor the list
of installed packages from unstable, to avoid unintended upgrades.

Hi Jorge,

the way you explain how you use it, especially carefully reviewing the
upgrade list, and are okay with the chance to run into bugs with the implementation, it should be fine, but I would never recommend it to a "regular" user, not knowing the experience level.

Read the notes at the top about which requirements need to be fulfilled
before a package is merged from "unstable" to "testing":
- The package has been in "unstable" at least for 2-10 days (depending
on the urgency of the upload).
- The package has been built for all the architectures which the present version in testing was built for.
- Installing the package into testing will not make the distribution
more uninstallable.
- The package does not introduce new release critical bugs.

The other way round, the above points are not guaranteed for "unstable"
and usually critical security fixes are available in testing a couple of
days later, which should outweigh the possible chance for a major
security issue introduced with a package from unstable due to a non-reviewed/tested implementation change for example.

When using testing only, APT upgrades can be applied without issues (dist/full-upgrade still needs to be reviewed of course due to possibly changing major versions) and a minimum of test and review is guaranteed,
which IMO is worth it to wait for.

But it all depends on the use-case and personal preference, of course.
And, if you do report bugs back to the package maintainers, you can help
making testing->stable better for other users, so it's actually great if
more (experienced) users use "unstable", but it's just not what I would recommend to a "regular" user ;).

Kind regards,

Micha

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi.

Em [2021-01-16 sáb 21:11:32+0100], MichaIng escreveu:

the way you explain how you use it, especially carefully reviewing the upgrade list, and are okay with the chance to run into bugs with the implementation,

To be clear, I don't assess the origin (testing or sid) of each new
package version every time I upgrade (daily). What I actually do:
1. I review the upgrade list in aptitude looking for suspicious removals
2. I use `apt-listchanges' and `apt-listbugs'
3. I periodically invoke the following script:

--8<---------------cut here---------------start------------->8--- #!/usr/bin/env bash

declare -r SID="?narrow(?not(~Atesting),~i~Aunstable)"
aptitude search "${SID}" |
tee /dev/stderr |
wc -l
aptitude -s -t unstable full-upgrade "${SID}"
--8<---------------cut here---------------end--------------->8---

The pipeline that begins with `aptitude search "${SID}"' tells which
(and how many) sid packages are currently installed. The second
aptitude invocation tells whether the installed sid packages are fully up-to-date.

The second aptitude invocation should address the danger of an installed
sid package being barred from upgrading to its latest version because
that new version needs additional sid packages. If that happens, I need
to be aware and decide whether the benefit of the new version outweighs
the downside of increasing the number of sid packages.

The question, of course, is whether software freshness is worth all this
work. It this may be obsessive/compulsive behavior on my part.

The other way round, the above points are not guaranteed for
"unstable" and usually critical security fixes are available in
testing a couple of days later, which should outweigh the possible
chance for a major security issue introduced with a package from
unstable due to a non-reviewed/tested implementation change for
example.

You make valid points. I will keep that in mind.

Regards

--
- <https://jorgemorais.gitlab.io/justice-for-rms/>
- I am Brazilian. I hope my English is correct and I welcome feedback.
- Free Software Supporter: <https://www.fsf.org/free-software-supporter>
- If an email of mine arrives at your spam box, please notify me.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)