Fedora security vs Debian

[Florian Weimer]

On 10/31/2014 08:10 PM, Kurt Seifried wrote:
> I'd like to see your numbers on this. CentOS tracks RHEL pretty quickly,
> Debian is pretty good but not somehow magically better/faster all the
> time on security updates.

Debian can be faster for three reasons: lack of QA, ability to do 
embargoed builds (unlike Fedora and CentOS), and direct package pushes 
to the centrally hosted security.debian.org repositories.

Debian can push emergency fixes in roughly twice the build time plus ~15 
minutes (for repository push and mailing list notification).  After 
that, the packages are ready for installation, world-wide, independent 
of the local mirrors used.  Embargoed builds (for non-emergencies) hide 
the build time.

For Fedora, updates become available on mirrors as they sync with the 
master repositories, so there is a longer delay than 15 minutes.  There 
is also a tool-supported QA process which can add delays as well (but 
this may be a good thing in some cases).

However, this delays are less relevant than the decisions (explicit or 
otherwise) which security updates to provide.  In Fedora, it is pretty 
much up to the package maintainer (who will receive gentle prodding in 
case people care), rebases to new upstream version are generally 
accepted, and security bugs of any severity can be fixed.  For Debian 
stable, the security team triages bugs based on their severity, and only 
a subset is fixed through a formal security update (minor issues can be 
corrected through regular bug-fix updates), and there is a general 
requirement to do backporting (which is more work for everyone involved).

In short, you'll see fixes for slightly differing sets of bugs, and 
which set is better, is difficult to tell without knowing your specific 
use case.

-- 
Florian Weimer / Red Hat Product Security