The flow of updates: stream or mighty river (comparing distributions for security)

[the_servicer]

Is the volume of updates a good way to compare the security of a Linux distribution?

I've been using the latest default, mainstream releases of Fedora for workstations and Pop!_OS. There seems to be a big difference in how many updates are released. I particularly noticed how many updates I had to install in Fedora 41 soon after the final image was released.

Pop!_OS, by contrast, has a slower stream of updates. Almost all of those updates seem to get released during weekdays.

Just because I don't know better, I am using the commands:

dnf upgrade

and

apt full-upgrade

For what I do, Pop!_OS is by far a nicer system to use, but I am starting to wonder if I should switch to Fedora for more sensitive uses.

 

[Deadjasper]

Good question. I use Mint and the updates are never ending. 4 or 5 a day is not unusual. And I can't help but wonder why Flatpak updates don't require a password. But then again, I've never had a security incident using Linux.

 

[toast0]

I don't think volume of updates shows much about security. It might show something about how many packages are installed by default and/or how things are broken up: some distros try to split an upstream package up so you can pick the parts you want, and some don't.

But mostly it tells you about how the distro follows upstream. Some distros want to be always latest, and endeavor to update whenever upstream updates for security or otherwise. Other distros prefer to have a more stable environment and only update their packages for security issues and important bugs.

 

[Stugots]

The current version of Pop OS is based on Ubuntu 22.04 LTS. I imagine that version of Ubuntu isn’t getting updates as frequently as newer versions to begin with. Then they’ll probably take some time to become available from the Pop OS repo’s too.

Same thing with Fedora and other RHEL based distro’s. I know I see that with Rocky Linux. I’ll get an update for my RHEL systems, then a day or so later the update will make it to Rocky.

 

[Mazzspeed]

The current version of Pop OS is based on Ubuntu 22.04 LTS. I imagine that version of Ubuntu isn’t getting updates as frequently as newer versions to begin with. Then they’ll probably take some time to become available from the Pop OS repo’s too.

Same thing with Fedora and other RHEL based distro’s. I know I see that with Rocky Linux. I’ll get an update for my RHEL systems, then a day or so later the update will make it to Rocky.

Security updates will still be pushed as soon as exploits are found and patched. LTS isn't 100% frozen in time.

 

[the_servicer]

Privacy Guides gave commentary that actually sounds pretty bad for Debian and the beloved Pop!_OS:

We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.

 

[Mazzspeed]

Privacy Guides gave commentary that actually sounds pretty bad for Debian and the beloved Pop!_OS:

That whole link reads like absolute bullshit. Furthermore, Debian stable is more frozen in time than Ubuntu LTS based distro's - There is a difference, you can't lump both into the same category.

 

[ChadD]

That whole link reads like absolute bullshit. Furthermore, Debian stable is more frozen in time than Ubuntu LTS based distro's - There is a difference, you can't lump both into the same category.

Reading through it... although I may disagree somewhat with some advice. Its also mostly spot on. As for LTS and updates. Ya LTS is frozen in time feature wise. Security and bug fixes are still pushed. So instead of updating a software package from say 11.4 to 12.0. The LTS will get a 11.5 instead with bug and security backported. (security updates from the new version only being applied) The issue with this in a LTS is you really are at the mercy of that specific distribution to be rolling out back ports in a timely manner. In that regard I would agree with you that Ubuntu is superior to Debian... for no other reason then Ubuntu is a company that sells security updates to its customers. You also need to trust the LTS company a bit... sometimes backporting isn't really fesable and a version change is reuqired for security. (The big corps like Ubuntu will do that... problem is sometimes the distros based on them may choose to hold a feature bump, I don't think that is a big deal but it can happen)

If you are looking for a LTS distro, which wouldn't be my go to as a home user. Ubuntu, Suse Leap... are imo the only real options. Both are backed by major commercial Linux providers who reliabelly push secuirty updates. Having said that for a home user I know Maz disagrees but I wouldn't touache a feature frozen LTS. One reason being is that yes frozen features are in themselves a security risk. (though again if we are talking about a home PC... I mean the chances of someone exploiting a 6 month old CUPS print system or something is super low)

Seeing as you have mentioned Fedora. Fedora is a bit unique. Fedora is backed by RedHat who is IBM. The thing is they don't do a LTS distro you can download, RHEL (red hat enterpirse linux) Linux is for sure the largest commercial LTS distro in the world... that isn't something you can download. They used to have Cent a non paid for version of RHEL, they no longer do. Fedora is basically like a test bed for them. Its not a rolling relase, is sort of a half rolling release. Red Hat uses Fedora as an early test bed. It is imo a secure OS, though RHEL is what you run a bank on, Fedora isn't really getting commercial use. If you do want a LTS feature frozen distro that uses RPM packaging I would look at SUSE Leap which is the non commerical verison of Suse SLES (Suse Linux Enterprise Server). Comparing Leap to SLES is basically like this Leap gets complete updates every handful of months... SLES if your paying them for a service contract will do security back porting to older versions. So with Leap you will be forced to the newer feature versions more often... SLES if you again were a bank you could pay to have the current version of SLES supported with secuirty patches for a longer 2-3 years period. The main advantage being a feature freeze, and in general updates requiring massive downtime would be very rare. (in fact SLES and RHEL can both be supported in a way where downtime doens't happen ever as they can update the kernel and other systems while they are running)

Sorry for the book I hope it makes some sense? LTS = feature frozen but security updates and normally bug updates are still pushed through. This arcticle isn't wrong about distros based on other companies LTS distros. It is one more layer of waiting for updates. Again for home users though, really waiting potentially a day or two for most minor updates isn't a big deal. IME all the larger distros based on the mother distros are all good about getting updates up often same day in the rare cases of some large bug being discovered and patched. (thinking about the CUPs vulnarbility awhile back... basically every distro had that patched within a few hours once the fixes were applied to mainline)

For what it is worth I do agree with that article in terms of rolling release being more secure. I do believe that is true. The caveat being. Security isn't of = concern to different users. Something like a Bank clearly needs a different level of security... but they also need ultimate stability. So rolling relase benifits on security aren't worth having to reboot daily to do updates. This is where things like RHEL and SLES and even Ubuntu come into play. They push fewer minor updates. They also all have ways of updating the kernel on a running machine... as well as ways to update other key packages without requiring reboots. For a home user however, imo yes a rolling release will inherenitly be more secure. Their are draw backs for a home user as well... I mean first one being a lot more updates. If you don't have a great internet connection you probably don't want to be running a true rolling distro... some days you might have a couple GBs of update downloads, but generally every day you'll have downloads. You will also see change in your OS often. For an advance user most people like getting the latest software always. For a new user, or someone buying a laptop from System76... maybe not having your UI change on you one day cause KDE/Gnome just went up a version or have the UI for your WIFI or other things change with an update is a good thing. On PopOS specifically I don't think security should be a major concern. Ubuntu is a core commercial distro that pushes all security updates with no delay and with the server infursturcture to build packages almost instantly. PopOS is maintained by System76... so far it seems like they have been a good maintainer and push security updates within a few hours of the mother distro. If you trust Pop long term or not us up to you... System76 is 20 years old, they are private not public but think they are reported to make a little over 20million or so in revenue a year. They seem to have found a niche selling Linux hardware and have been growing.

End of the day security is up to you. Fedora Ubuntu are safe bets they are both backed by major companies, neither is going to ever have massive security holes that are exclusive to them. Pop and other well maintained distros are likewise secure. With all distros and this will probably always be a Linux "issue" your chosen distro may become abandoned, or the project may fall into disrepair basically. A project that had 20 people maintaining it, may fall to infighting and the distro may go to shit. Or a company doing something like PopOS might go out of business and the distro may become abandoned... or taken over by well meaning people that aren't on par with the previous developer. If your looking for good reasons to stick with Mainline distros like Fedora/SUSE/Ubuntu... that might be the best reason. They are backed by massive corporations, Still even then I mean ask people that were running CentOS. One day another big Corporation like IBM can come along buy up a company like Red Hat and decide they don't want to give away their enterpirse class distro anymore. [and that is one of the mian reasons Arch is loved by Linux power users... Arch is made by the people that use it. No company that might change direction, get sold, merged. No board of advisers from big corps who use it as a base steering the distro. So far the only real big money Arch has taken has been from Valve. Their support so far hasn't been to push the distro anywhere it wasn't planning to go anyway]

 

[Mazzspeed]

Personally, I wouldn't touch a rolling release OS, and the idea that Ubuntu LTS releases are security risks even though security updates are backported and patched makes no sense whatsoever. Every time there has been a notable security issue under Linux, security updates patching the issue have been released within days under the LTS distro of my choosing.

The fact remains that the best way to introduce security issues is to run largely untested bleeding edge software, a great example of this is the recent XZ Utils backdoor hack. Ubuntu and Debian both weren't affected, but Arch and certain variants of Fedora were:

https://www.balbix.com/blog/balbix-guide-to-xz-utils-backdoor/

 

[Nobu]

Personally, I wouldn't touch a rolling release OS, and the idea that Ubuntu LTS releases are security risks even though security updates are backported and patched makes no sense whatsoever. Every time there has been a notable security issue under Linux, security updates patching the issue have been released within days under the LTS distro of my choosing.

The fact remains that the best way to introduce security issues is to run largely untested bleeding edge software, a great example of this is the recent XZ Utils backdoor hack. Ubuntu and Debian both weren't affected, but Arch and certain variants of Fedora were:

https://www.balbix.com/blog/balbix-guide-to-xz-utils-backdoor/

Depends on what kind of security risk you are averse to, I guess. Purposefully planted holes are more likely to get you on bleeding edge packages (but are still possible with backports if, eg, you have a malicious pkg maintainer), however bugs which are exploitable are present in any package, but are more likely to be fixed or not yet found in the latest version.

Either way, once found, fixes are usually pushed quickly.

 

[Mazzspeed]

however bugs which are exploitable are present in any package, but are more likely to be fixed or not yet found in the latest version.

Security updates are absolutely back ported to LTS releases in a very timely manner, LTS releases simply don't get feature updates. In a nutshell, that's the whole point of LTS releases.

Furthermore, Ubuntu LTS releases receive kernel updates every second point release - They aren't stuck on the one kernel for the life of the release.

 

[Nobu]

Security updates are absolutely back ported to LTS releases in a very timely manner, LTS releases simply don't get feature updates. In a nutshell, that's the whole point of LTS releases.

Furthermore, Ubuntu LTS releases receive kernel updates every second point release - They aren't stuck on the one kernel for the life of the release.

I wasn't talking about security updates, I was talking about bug patches which might fix a vulnerability that hasn't been found yet.

 

[Mazzspeed]

I wasn't talking about security updates, I was talking about bug patches which might fix a vulnerability that hasn't been found yet.

Which are also back ported in many cases (when they're found, no point talking about bugs that haven't been found - That's speculation).

 

[ChadD]

Which are also back ported in many cases (when they're found, no point talking about bugs that haven't been found - That's speculation).

That is sort of the point. They don't/can't back port everything. Sometimes just rolling the software git is more secure.
Again with LTS you are relying on a specific distro to be backporting things in a timely manner. Rolling release is using the power of the crowd so to speak. Fixes get pushed to a software packages git, its rolled out by the major rolling releases with in hours. The LTS developers are not pushing anything that fast. In general they test all backports (as they should) it does mean only the most critical OH shit stuff gets patched same day. Then you also have all the little security bits that just happen via osmosis with package updates... things that may not be viewed as major threats or threats at all but are.

Another issue with home users is going to be which packages they are installing. The LTS developers sure are all over major flaws in things their cusotmers are using like the CUPs system, and so on. Are they speedily updating things like VLC? Mplayer X or Y old version of Python a home user installed for some obscure key binding software. Or some other framework to support a pacakge never used in a workstation/server setting. LTS are focused on security for their customers. That is the main thing I would contend for home type users, rolling is just more secure for all the random little packages they are going to be using.

And for what its worth in the end... LTS Rolling Semi Rolling non rolling with user added repos whatever. They are all pretty damn secure these days, and every single Linux anything is 10x more secure then Windows, and at least as secure as MacOS.

 

[Mazzspeed]

That is sort of the point. They don't/can't back port everything.

When it comes to major security issues, patches are back ported as fast as they are under rolling distro's. As stated, talking about vulnerabilities that haven't been found yet is speculation - It's just as likely vulnerabilities will be introduced as a result of running bleeding edge software with little real world testing.

LTS isn't as frozen in time as some would like to believe, it's certainly not in the same ballpark as Debian Stable.

 

[ChadD]

When it comes to major security issues, patches are back ported as fast as they are under rolling distro's. As stated, talking about vulnerabilities that haven't been found yet is speculation - It's just as likely vulnerabilities will be introduced as a result of running bleeding edge software with little real world testing.

LTS isn't as frozen in time as some would like to believe, it's certainly not in the same ballpark as Debian Stable.

I'll take todays build that will be replaced in 7 days. Then the frozen targets that have been on LTS commercial servers for 7 months. Just me though.
Linux is Linux. Its a different philosophy for security for sure. My opinion LTS is for servers and workstations running very little none core software, and often anything else being run is coded or heavily adapted by the people running it. They know what they are doing in general. IMO rolling is a more secure option for the way the average home user would use their machine installing new software, installing non server/workstation packages. Gaming, over riding the LTS distros so they can run the latest Blender or VLC and so on. Probably not being developers, or supported by their companies developers/IT engineers.

Either way I agree with you the core Linux files most likely to be an issue are very secure either way you go.

 

[Mazzspeed]

My opinion LTS is for servers and workstations running very little none core software, and often anything else being run is coded or heavily adapted by the people running it.

And yet, Ubuntu LTS is the only Linux desktop platform officially supported by Valve's Steam software - Hence the reason it's downloadable direct from Valve as a .deb:

https://help.steampowered.com/en/faqs/view/1114-3F74-0B8A-B784

https://wiki.archlinux.org/title/Steam

Important:​

Currently, Steam for Linux is only supported on the most recent version of Ubuntu LTS with the Unity, Gnome, or KDE desktops.

The issues Arch users faced as a result of libtcmalloc issues running TF2 are still pretty fresh.

over riding the LTS distros so they can run the latest Blender or VLC and so on. Probably not being developers, or supported by their companies developers/IT engineers.

Both are available as flatpak's, or you can add PPA's for native support:

https://launchpad.net/~savoury1/+archive/ubuntu/blender

https://launchpad.net/~ubuntuhandbook1/+archive/ubuntu/vlc/

With the move to immutable distro's, Flatpak certainly looks to be the future of Linux software packaging/distribution.

 

[ChadD]

And yet, Ubuntu LTS is the only Linux desktop platform officially supported by Valve's Steam software - Hence the reason it's downloadable direct from Valve as a .deb:

https://help.steampowered.com/en/faqs/view/1114-3F74-0B8A-B784

https://wiki.archlinux.org/title/Steam


Both are available as flatpak's, or you can add PPA's for native support:

https://launchpad.net/~savoury1/+archive/ubuntu/blender

https://launchpad.net/~ubuntuhandbook1/+archive/ubuntu/vlc/

With the move to immutable distro's, Flatpak certainly looks to be the future of Linux software packaging/distribution.

You like to go back to that Ubuntu Valve thing. lol You know that is abandon ware. Valves latest current and only SteamOS that matters is their own Atomic spin of Arch. We also know its coming to more devices and probably an updated iso this year.

Yes you take my point. PPA (Personal Package Archive). Overriding the distros base repositories.

Agree with you on flatpak for the mass market Distros. SteamOS3 and maybe some future Atomic mass market distros are probably going to lean heavy on flatpak, so they can push nice clean system cleaning updates. I am not a big fan of flatpak, its the logical way forward for mass market stuff. I mean it works great on a deck. Allows users to install nice sandboxed things. Valve can push updates and know no one can possibly have screwed anything up on their systems. When Nvidia enters the consumer CPU market later this year, I am sort of more and more feeling like NV might do something crazy like have their own atomic Linux. I mean they rebranded Ubuntu for their purposes, I could see them taking the core of SteamOS and with Valves blessing rebrand it and maybe add some NV AI software to the mix. You think Jensen is crazy enough to take on Intel AMD Apple and Microsoft?

 

[Mazzspeed]

You like to go back to that Ubuntu Valve thing. lol You know that is abandon ware.

It's not abandonware at all, Ubuntu LTS is the only official desktop platform supported by Valve's Steam software - Period. I always install Steam direct from Valve using the official .deb and have never, once, had a problem. SteamOS is Valve's supported mobile platform, it's really not ideally suited to desktop use.

Yes you take my point. PPA (Personal Package Archive). Overriding the distros base repositories.

Most of the time, package dependencies are the same as Canonical base repo's. The only difference is the fact the resulting .deb is a newer software variant than that contained under Canonical's base repo's. I've used certain PPA's for years with no issues whatsoever, and my chosen distro isn't even 'strictly' an LTS release.

Agree with you on flatpak for the mass market Distros. SteamOS3 and maybe some future Atomic mass market distros are probably going to lean heavy on flatpak, so they can push nice clean system cleaning updates. I am not a big fan of flatpak, its the logical way forward for mass market stuff. I mean it works great on a deck. Allows users to install nice sandboxed things. Valve can push updates and know no one can possibly have screwed anything up on their systems. When Nvidia enters the consumer CPU market later this year, I am sort of more and more feeling like NV might do something crazy like have their own atomic Linux. I mean they rebranded Ubuntu for their purposes, I could see them taking the core of SteamOS and with Valves blessing rebrand it and maybe add some NV AI software to the mix. You think Jensen is crazy enough to take on Intel AMD Apple and Microsoft?

I'm still not totally sold on immutable distro's, there's still certain limitations that need to be addressed. Nvidia making their own distro would be interesting.

 

[pioruns]

Rolling release distributions have their appeal, offering the latest software and features as soon as they’re available. However, this comes at a cost. New software is often insufficiently tested, leading to bugs and system instability. Worse, rolling releases frequently introduce security vulnerabilities that older, more tested versions in LTS distributions like Debian have already avoided or patched.

LTS distributions focus on stability and reliability. Their packages are rigorously tested and maintained with backported security fixes, ensuring users have a safe and dependable system. While they may lack the latest features, they offer a smoother, more predictable experience with minimal downtime.

For most users—especially in production environments—this trade-off is worth it. Stability, security, and reliability are more valuable than chasing the latest software, which often introduces more problems than solutions. LTS distros like Debian prove that a steady, well-maintained system is far superior to the unpredictability of rolling releases.

 

[pioruns]

Personaly, I’m using Devuan with sysVinit. Because it’s simple, stable, follows Debian releases, and doesn’t have the bloat and complexity of systemd. Systemd tries to control everything, turning your system into a tangled mess. And I prefer Debian release model with great security, not bleeding edge randomness with great potential for new security vulnerabilities not found elsewhere.

 

[Mazzspeed]

I also find LTS releases to be better suited to Nvidia hardware/drivers. I've been running Nvidia hardware for about 8 years now under Linux, and I've experienced very few deal breaker issues. Under an LTS release, Nvidia drivers can be upgraded or downgraded with a simple command resulting in no conflicts with other packages or bleeding edge kernels. Furthermore, with all necessary libraries contained within the driver package itself, there's no need to run the very latest kernel that could introduce regressions.

My gaming performance under an LTS distro is fantastic. As far as I can tell, when CS2 was released, Nvidia hardware/drivers were actually performing better than AMD/AMDGPU hardware/drivers.

 

[CrimsonKnight13]

It's not abandonware at all, Ubuntu LTS is the only official desktop platform supported by Valve's Steam software - Period. I always install Steam direct from Valve using the official .deb and have never, once, had a problem. SteamOS is Valve's supported mobile platform, it's really not ideally suited to desktop use.

Are you sure about that? https://developer.valvesoftware.com/wiki/Steam_under_Linux

 

[Algrim]

When I installed Steam on Debian it was a straight install from .deb file.

 

[ChadD]

Are you sure about that? https://developer.valvesoftware.com/wiki/Steam_under_Linux

He is hung up on this.
https://store.steampowered.com/steamos
He doesn't like people calling it abandon ware. Even though it was released in 2013 was based on debian 8 (They are now on to 12).
SteamOS 2.0 is abandoned yes.

SteamOS 3. Right now Steam only ships for the deck and recently some other handheld gaming devices. SteamOS3 is NOT abandon ware. They just haven't released a ISO for desktops at this point. Though they have said multiple times they do plan to release a proper ISO for desktops. The arch based OS3 is what is currently in development. OS2 which was debian based has been abandoned. They still have the download page up for it cause people still have Steam machines they purchased. It would be pretty shitty to remove the download for the OS on those machines if people want it.

 

[Mazzspeed]

Are you sure about that? https://developer.valvesoftware.com/wiki/Steam_under_Linux

Regarding the desktop and not handheld devices, I'm 100% sure. It's right here, direct from Valve:

https://help.steampowered.com/en/faqs/view/1114-3F74-0B8A-B784

Important:​

Currently, Steam for Linux is only supported on the most recent version of Ubuntu LTS with the Unity, Gnome, or KDE desktops

And it's right here direct from Arch devs:

https://wiki.archlinux.org/title/Steam

The fact other distro's are mentioned under the developer community page is irrelevant in relation to contacting Valve directly for support. If you have an issue under Steam and you're running anything but Ubuntu LTS, Valve will inform you that you have to channel your query to your distro's support channels and will not offer support - To quote the Arch Wiki:

Steam for Linux only supports Ubuntu LTS.[1] Thus, do not turn to Valve for support for issues with Steam on Arch Linux.

Hence the reason why the only Steam package available for Steam direct from Valve is a .deb. People under r/linux_gaming have experienced Valve turning back Arch users for support, and posted their very recent experiences for all to see. See a recent example below (Reddit link):

https://www.reddit.com/r/linux_gami...onse_i_got_from_steam_support_when_i_couldnt/

He is hung up on this.

I'm not too sure where you got that idea from. We're all Linux users, and we're the minority constantly fighting off Windows users - My comments aren't meant to be taken personally, let's all band together and get along.

 

[CrimsonKnight13]

I think we're fighting about semantics of customer support & not general support since they offer more than just deb files.

 

[Mazzspeed]

I think we're fighting about semantics of customer support & not general support since they offer more than just deb files.

https://store.steampowered.com/about/

Click 'Install Steam' and you'll download a .deb installer, literally every other distro has Steam available via their own software repositories that aren't officially affiliated with Valve's package.

Furthermore, it's not just Steam, look at the system requirements for almost any Linux native game under Steam and the only recommended distro will be Ubuntu LTS. Encounter an issue running anything but Ubuntu LTS, and you could be on your own. At the end of the day, the odds of encountering an issue are slim - But when Arch users couldn't play TF2 due to libmalloc issues, I was happily playing away without a care in the world.

In other news, I just went out and bought an RTX 4070S as they were on special with the advent of the RTX 50 series, and my VKD3D games fly running the 565.77 drivers. At 1200p (I run dual 1200p displays), path based ray tracing alone with ultra settings simply isn't a problem anymore - Games look amazing.

 

[CrimsonKnight13]

https://store.steampowered.com/about/

Click 'Install Steam' and you'll download a .deb installer, literally every other distro has Steam available via their own software repositories that aren't officially affiliated with Valve's package.

Furthermore, it's not just Steam, look at the system requirements for almost any Linux native game under Steam and the only recommended distro will be Ubuntu LTS. Encounter an issue running anything but Ubuntu LTS, and you could be on your own. At the end of the day, the odds of encountering an issue are slim - But when Arch users couldn't play TF2 due to libmalloc issues, I was happily playing away without a care in the world.

In other news, I just went out and bought an RTX 4070S as they were on special with the advent of the RTX 50 series, and my VKD3D games fly running the 565.77 drivers. At 1200p (I run dual 1200p displays), path based ray tracing alone with ultra settings simply isn't a problem anymore - Games look amazing.

I'm not worried about official support at all. Arch allows for native libraries instead of the runtime ones, which means I've not ever had a library issue with it. I haven't even touched TF2 is a very long time, so such concerns aren't anything I care about.