Fedora security vs Debian
fweimer at redhat.com
Wed Nov 12 16:49:43 UTC 2014
On 10/31/2014 08:10 PM, Kurt Seifried wrote:
> I'd like to see your numbers on this. CentOS tracks RHEL pretty quickly,
> Debian is pretty good but not somehow magically better/faster all the
> time on security updates.
Debian can be faster for three reasons: lack of QA, ability to do
embargoed builds (unlike Fedora and CentOS), and direct package pushes
to the centrally hosted security.debian.org repositories.
Debian can push emergency fixes in roughly twice the build time plus ~15
minutes (for repository push and mailing list notification). After
that, the packages are ready for installation, world-wide, independent
of the local mirrors used. Embargoed builds (for non-emergencies) hide
the build time.
For Fedora, updates become available on mirrors as they sync with the
master repositories, so there is a longer delay than 15 minutes. There
is also a tool-supported QA process which can add delays as well (but
this may be a good thing in some cases).
However, this delays are less relevant than the decisions (explicit or
otherwise) which security updates to provide. In Fedora, it is pretty
much up to the package maintainer (who will receive gentle prodding in
case people care), rebases to new upstream version are generally
accepted, and security bugs of any severity can be fixed. For Debian
stable, the security team triages bugs based on their severity, and only
a subset is fixed through a formal security update (minor issues can be
corrected through regular bug-fix updates), and there is a general
requirement to do backporting (which is more work for everyone involved).
In short, you'll see fixes for slightly differing sets of bugs, and
which set is better, is difficult to tell without knowing your specific
Florian Weimer / Red Hat Product Security
More information about the security