Debian: stable or testing?

Discussion in 'all things UNIX' started by dogbite, Jun 25, 2016.

  1. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    I am thinking about switching from Fedora to Debian on my primary rig.

    Should I go for Stable or Testing? Stable is...well...very Stable but also lacks up to date applications. Testing is much more up to date, but is it usable (stable enough) for daily use?

    Another question: EasyLife makes Fedora basically complete with codecs and additional stuff, what about Debian? I mean I need a system which can play/rip CD, DVD, etc.

    Thank you.
     
  2. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    I really dont mean to be one of THOSE guys, but if you care about security and you want a pretty stable distro with new software and easily installable codecs, have you considered Arch? Its really not that bad once setup. It has a lot of security tools available now (up to date software, a grsecurity kernel (linux-grsec), RBAC/Tomoyo/Apparmor, paxd, hardening-wrapper, etc- its prolly the third most secure distro in Linux (after gentoo hardened and subgraph) now. Just throwing it out there- it seems like it might be a better fit given what you want..

    I would say if you want to stick with Debian, go take a look at the software available in the backports repository. If the software you need up to date is there, go with Stable and use backports. If not, see if testing is up to date enough.

    You will like Debian either way- APT is great, the repos are massive, its pretty easy to install and use, its possible to use as a rolling release distro, etc etc. Just watch out for insane dependency chains (Arch can be guilty of this too, so check the AUR for packagename-light to see if any are available without the kitchen sink), and be patient (APT isnt very fast, though prolly faster than yum was).
     
  3. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Arch does not like my hardware, I tried to test it but failed and I do not want to spend time on it any longer. Thank you anyway.
     
  4. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    Fair enough :) Then check out backports and see if the software you need up to date is there. I think I personally would roll on testing so that you never have to do a big distro upgrade. I used a Debian install for years setup this way and didnt have any issues.

    If you decide stability is the most important just know that stable will need a big upgrade every 1-2 years depending on how long they decide to provide security updates. Still, thats pretty simple on Debian- make a backup, take a BTRFS snapshot (if you use it), then change your repos in /etc/apt/sources.list from "Jessie" to "Stretch" (stretch is testing right now- it will become stable and jessie will become oldstable), apt-get update and then apt-get dist-upgrade or aptitude safe-upgrade etc. Once done assuming it works, delete your btrfs backup snapshot (and prolly run balance on the partition to free up allocated data blocks), update your backup, and youre good for another 1-2 years :D
     
  5. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    So basically Testing is a rolling one. Excellent...
     
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    No offense meant - but that's a questionable statement. Yes, Arch always gets (security) updates very fast, and it offers grsecurity (as Debian does). On the other hand, Tomoyo and AppArmor are not supported unless you compile your own kernel. Not to mention SELinux which is very hard to implement in Arch. And the hardening-wrapper is just a tool - it doesn't tell us how many packages are actually hardened. As a matter of fact, e.g. in Fedora since v. 23 all packages are hardened by default while in Arch they are not yet with a few exceptions. So saying that Arch is the third most secure distro and, hence, more secure than most other distros is problematic, IMHO.
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
  8. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    None taken- everyone has their own opinion. Tomoyo is btw enabled on the linux-grsec kernel, though I havent had much luck with it. Yes, the linux-grsec kernel has to be recompiled for AppArmor support. Yes, SELinux is a nightmare on Arch.

    I should have been clear with hardening-wrapper. It is just a tool, but not only maintainers can use it. I have yaourt installed as well as customizepkg. Any file named after a package in /etc/customizepkg.d causes its respective package to be automatically built from source when I update. Because I have hardening-wrapper, those packages are automatically built hardened. I only have about 25 in /etc/customizepkg.d, but nearly all my commonly running packages are FullRELRO/canary/PIE which is pretty good. I should note that without very careful usage, yaourt is a security problem in and of itself- not the best AUR wrapper for security, but it does provide built in ABS support. I dont experiment often- I prefer to keep a familiar setup.

    On Fedora and hardening, I did NOT know that- that is really cool. I stand corrected- I might actually install it in a VM knowing that :D That would make Arch fourth by my humble metric. Given Fedora having great SELinux support, this makes Fedora a pretty tough distro to crack.

    Finally, I suppose I should put it this way: Arch can be made very secure with not a whole lot of effort. You use linux-grsec from community, install hardening-wrapper from community, use packages you trust with a small attack surface, use yaourt/customizepkg to compile running processes or known weaknesses (network facing processes), and recompile linux-grsec with AppArmor support. After the initial setup, the only recurring maintenance beyond a plain Arch install is rebuilding the kernel every 2-4 weeks for AppArmor support and letting yaourt auto-compile the few apps that are threatened.

    Many other distros have NO easy means of hardening packages, possibly no grsecurity patched kernel, also have little support for MAC implementations, etc etc.

    I mean no offense and im not trying to argue with you :) I try to put this info out there so that people realize that while yes linux is inherently better oriented for security than windows, some distros are inherently easier to make secure due to options available.

    Truce? :D
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Thanks, that's interesting! I have to look into this stuff. May I ask which 25 packages do you harden?

    I absolutely agree with you :thumb:

    Truce! :D
     
  10. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    While technically I prolly shouldnt since its never good to profile a system online, why not.. I dont do anything worthy of the attention of three letter agencies anyways :p

    *EDITED OUT to avoid profiling*

    Counting them up, 28 packages- so I was 3 off. Still, most compile very quickly and automatically, and maybe only a few times a week if that. Some of these are compiled because they are deps of packages of ones I consider at risk but may not even be necessary. In that case I could prolly prune the list down more...
     
    Last edited: Jun 28, 2016
  11. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    Arch is secure when the user runs GRSecurity. If he/she doesn't run grsec, then Arch is less secure than Debian Stable. However, Arch is probably the most up-to-date distro out there, so it gets security fixes really quick (depending on Upstream). If fixes are not pushed upstream, Arch will be vulnerable, because it doesn't patch it's software.

    Debian Stable is more secure then Testing/Sid/Arch, but software is outdated. The BackPorts repo solves the date issue, but it can introduce security bugs. If you run Debian Stable, stick with the Main repo as much as possible, and only run backported software when absolutely needed.

    Debian Sid does receive security fixes from the security team, sometimes more often/soon than Stable, but it can be buggy as hell. It's not worthy IMO.

    Debian Testing is not so buggy, but it's the least secure of the Debian's. If a problem is found in Sid, it can take months to the security fix get to Testing, leaving the users vulnerable. Running Testing (but with the occasional Sid software) is the solution for this problem, but requires too much effort and is impractical.
     
  12. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    I agree except I will say that Arch MAY backport security patches in certain cases. See: https://wiki.archlinux.org/index.php/CVE

    I have seen cases where a package with no upstream release fix has had patches applied and the backported fix shows up as an update. However, unfortunately this does not always happen (the chart shows that clearly though be aware it is wrong in areas- not updated enough). Whats particularly troubling is that sometimes patches are available, but upstream announces the next version will have the fix- Arch devs will wait until upstream drops a release instead of backporting the fix. That said, they only do this in cases where the attack is extremely limited in terms of being difficult/almost-impossible to pull off. See: https://bugs.archlinux.org/task/49616

    Overall in my opinion, Debian handles this better than Arch. At the same time, Debian's grsecurity setup is a little more rough (at the moment), and packages are not as easy to harden as in Arch nor do they have the awesome hardening policy Ive today learned Fedora has (even Arch seems to offer more hardened packages than Debian). I dont know if this is a push or not.

    Certainly there are distros with worse overall policies than either Arch or Debian- Manjaro for example. Manjaro is a security disaster waiting to happen. Linux Mint has had some bad security issues in the past too. That said, Arch was one of the last major distros to get package signing (!!) so...
     
  13. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    Yeah, I guess it's really rare that Arch backports something. I personally never seen a backported software in the 3+ years I've used it.
     
  14. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    From a security perspective how is Debian Testing compared to Fedora? I mean, does it get patched more quickly than Fedora or not?
     
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Thanks for your list! I'll see if and how I can use it myself.
     
  17. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    Yeah speaking strictly from a security update perspective, I would say SId, stable, and oldstable are more prompt than Testing. I ran Testing alongside an Arch install, and I often noted a 1-2 day gap between when security vulnerabilities were fixed in Testing vs Arch. I have no doubt that stable would equal and better Arch in this regard.

    My only criticism of Debian security-wise is the hardening state of their packages and the roughness of the grsecurity implementation. When they nail these down, Debian will be perfect.

    In related news, Arch is moving towards better hardening by default. See: https://lists.archlinux.org/pipermail/arch-dev-public/2016-May/028030.html

    -and-
    https://bbs.archlinux.org/viewtopic.php?id=200984

    **EDIT** I should note that the wiki's list of hardened packages may be slightly or severly incorrect. For example, I can verify that Firefox just recently started being shipped in the repos FullRELRO/Canary/PIE despite it not being listed as such on the wiki. If Firefox can be missed, than so can many other smaller packages...
    No problem- im going to go ahead and erase that list in a couple of days :p Prolly paranoid but nowadays who knows! :D
     
  18. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Indeed! I also checked it with checksec. The same is true for, e.g., Thunderbird and Firejail while other packages like dnsmasq, okular and gwenview have only partial relro and no pie. And, e.g., soffice.bin has only partial relro, no canary and no pie. So it really depends.
     
  19. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Run stable version of Debian with PPAs for the programs you intend to use the most. This way you have a platform that won't break and have latest of what you intend to use.
     
Loading...