If I'm running Debian testing, and if security updates aren't really applicable to a testing/unstable system, then is there any point in having deb http://security.debian.org/ stable/updates main contrib non-free deb http://security.debian.org/debian-non-US stable/non-US main contrib non-free in /etc/apt/sources.list? The Securing Debian Manual (in particular, section 4.8) doesn't make this clear. Andrew.