Although I think many of the problems you addressed either (partially) fixable or a reasonable trade off, your argument show many realistic problems faced by a Debian user (me)!
First, I agree that a security problem is usually fixed in a new release, typical examples will be buffer overflow, array out of bound, and it really takes some effort to back-port it. I think the Debian partial respond to it is to have dedicated team working on essential, popular packages, like Linux, Bash, Firefox, Chromium ... The problem is of course that less popular package doesn't get this treatment and the security bugs are left unfixed for long time.
Second, about that Debian stable is too old, there is also an obvious fix, which is to install the testing distribution, which is really what you should do as a desktop user. Stable distribution is actually for server user, which don't want things change that often, for example my university allows us to ssh into Debian stable VM running on top of QEMU.
Third, regarding the reputation and report-bug-to-upstream, I think you are absolutely right. It is up to the users to figure out the right way to report bug. Sure, there is a lot of info available in Debian Wiki, but I see that often happen, especially with popular packages.
Fourth, you said that it would be too much work for upstream to package software for Debian. I think this is why we have Debian Developers and Debian Maintainer. These guys knows Debian better than average developers and can help or even do the job for you if the package is sufficiently interesting to them. Also, I think packaging for Debian worth the effort IMO not because that Debian is quite popular, but because Debian has many downstream distros, so you are essentially packaging for them as well.
Finally, there is a trick that fits my personal needs of running latest version of packages (like youtube-dl). I runs a custom package manager (Gnu Guix) on top of Debian. It is really the best of both worlds for me. Normally, I install packages from Guix. But if it doesn't work, I fall back to install from Debian. This way I get a sufficiently stable base OS (Debian testing) and bleeding edge packages (Gnu Guix master branch). Of course, it is perhaps too much work for a typical desktop user. At this stage, I would recommend simply install Debian testing.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
A great overview of Debian
Date: 2016-08-22 02:42 pm (UTC)First, I agree that a security problem is usually fixed in a new release, typical examples will be buffer overflow, array out of bound, and it really takes some effort to back-port it. I think the Debian partial respond to it is to have dedicated team working on essential, popular packages, like Linux, Bash, Firefox, Chromium ... The problem is of course that less popular package doesn't get this treatment and the security bugs are left unfixed for long time.
Second, about that Debian stable is too old, there is also an obvious fix, which is to install the testing distribution, which is really what you should do as a desktop user. Stable distribution is actually for server user, which don't want things change that often, for example my university allows us to ssh into Debian stable VM running on top of QEMU.
Third, regarding the reputation and report-bug-to-upstream, I think you are absolutely right. It is up to the users to figure out the right way to report bug. Sure, there is a lot of info available in Debian Wiki, but I see that often happen, especially with popular packages.
Fourth, you said that it would be too much work for upstream to package software for Debian. I think this is why we have Debian Developers and Debian Maintainer. These guys knows Debian better than average developers and can help or even do the job for you if the package is sufficiently interesting to them. Also, I think packaging for Debian worth the effort IMO not because that Debian is quite popular, but because Debian has many downstream distros, so you are essentially packaging for them as well.
Finally, there is a trick that fits my personal needs of running latest version of packages (like youtube-dl). I runs a custom package manager (Gnu Guix) on top of Debian. It is really the best of both worlds for me. Normally, I install packages from Guix. But if it doesn't work, I fall back to install from Debian. This way I get a sufficiently stable base OS (Debian testing) and bleeding edge packages (Gnu Guix master branch). Of course, it is perhaps too much work for a typical desktop user. At this stage, I would recommend simply install Debian testing.
Hope this help!