Concerns about how the Security information is presented on Debian.org
Let me first say that while my message is critical, Debian is my favorite Linux distro, and I've used many over many years. The goal of this post is to improve the way the security information is communicated on debian.org, which I believe is misleading.
security.debian.org starts off with "Debian takes security very seriously. " and goes on about how great Debian's security is. It stops short of explicitly claiming that Debian provides all security updates for all packages included in the distribution, but it implies these things. A casual user, with no particular background in security, will come away not realizing the limitations, of which I'd like to point out two:
1. The vast majority of security vulnerabilities discovered in upstream code are quietly fixed and never get written up as CVEs, so they don't even come up on the radar (1)
2. Debian is too understaffed to backport even the CVEs in widely used and security-critical packages like Chromium -- security-tracker.debian.org is showing it to be several months behind on the fixes.
This is something the users deserve to know. Hiding this information from the users is in direct violation of the DSC (I know the security tracker exists, but who's going to look at it after reading what amounts to "we got your back, buddy! nothing to worry about".
Morality aside, I think that if more Debian users were aware of the truth, they'd lobby for a rolling Debian release (Debian Unstable is kind of like that, but not really)
(1) See for example https://arxiv.org/abs/2105.14565
Sent with https://mailfence.com
Secure and private email