Hi,I can only agree, running some Bullseye systems as well since Buster was released, not facing any relevant issues.
Generally, I think that Debian testing is not necessarily less secure than Debian stable at any time. Newer software/package versions on Debian testing may contain newly introduced security vulnerabilities (e.g. with new upstream features, or less reviewed implementations) which may be in balance with fixed old security vulnerabilities, which are usually patched into Debian stable packages with short delay. But newer software/package versions as well make use of newer security/encryption protocols and standards. For the same reason I as well would not rate Debian necessarily more secure than a rolling-release distro.
The main difference IMO is the reliability and stability, as all packages on Debian stable have been much tested to be compatible with each other and no breaking changes happen when doing APT upgrades that would require configuration or setup changes to maintain the functionality of your system. Especially for server systems with multiple server daemons depending on each other, which must have at best zero downtime, while still doing regular security upgrades/backports, this is of high value. For a client system (no server), as long as you are able to use the console in case some mistake has happened, I personally would always use Debian testing right from the start. That way you do not need to mess with mixing repo suites (stable, testing, unstable).
And as you mention "unstable"/sid: Do not use it if it's not for testing (I mean help testing new package implementations on a test system) or development reasons. It's easy to run into a dependency mess or that suddenly large parts of the system are upgraded to sid packages. It's a development playground, not meant for production systems. It should be pretty fine to wait until a certain software version has reached the "testing" (currently Bullseye) suite, where dependency integrity and a basic testing by maintainers has been done already.
Kind regards, Micha Am 14.01.2021 um 15:20 schrieb ldavila@syt.net:
Hey!I have a couple of notebooks, a VM and like ~30 servers running debian testing for 2 years now.My experience says you can count on stability.I have not detected any security issues yet... I'm also subscribed to debian-security, most of the announcements on the list are already solved on by the packages on bullseye.regards lucas El 14/1/2021 a las 10:44, Jorge P. de Morais Neto escribió:Hi. I love having fresh packages. To work around the oldness of Debian stable, I have installed dozens of packages from buster-backports; 81 packages from Guix; 12 Flatpak applications (excluding runtimes); 20 pip3 packages (excluding their dependencies); and ≃10 npm packages (excluding their many dozens of dependencies). The complementary package managers do not quench my thirst for freshness, so I would like to upgrade Debian to bullseye. Now that the freeze has started, is it a good time to upgrade my personal notebook? Should bullseye, by now, be relatively stable and, more importantly, secure enough? I do not run any server; it is a personal laptop behind NAT---at least for IPv4 (I don't know the details of IPv6). I am subscribed to `debian-security' and am willing to manually pull specific packages from /unstable/ for security reasons. That is, when a /testing/ package in my installation has a serious security vulnerability, I am willing to upgrade it to the security-fixed version from /unstable/ instead of waiting for it to propagate to testing. In this context, is bullseye secure enough? Regards