Quoting Brian May (brian(a)microcomaustralia.com.au):
For me the benefit Ubuntu has it that I get daily
that rarely break anything (yes I know it does happen) without having
to do a daily upgrade to the latest Debian/testing (which ends up
taking significant time, especially if you have multiple computers to
maintain and/or if things break badly) while at the same time not
falling behind as much as Debian/stable.
What you describe resulting from 'doing a daily upgrade to te latest
Debian/testing' implies doing something like 'apt-get dist-upgrade',
which indeed hogs a lot of time and bandwidth -- especially if you've
made the error of doing a kitchen-sink installation -- but is completely
The interesting thing about Debian's security updates (as detailed on
the debian-security-announce mailing list,
) is that, upon
examination, you find that 95% are either irrelevant to your installed
system for one reason or another (package not installed, threat model
applies only to a particular configuration you don't have), or is
intended to fix theoretical vulnerabilities so far-fetched that there's
no hurry dealing with them.
In 2011 so far, there have been 211 postings to that mailing list (whose
postings I skim-read). Of those, 42 were package updates that were
_potentially_ applicable to my Debian servers, and 42 were _potentially_
applicable to my Debian workstation.
However, the actual number of relevant updates has been much smaller
than that. Let's consider the 42 workstation packages, and spot/weed
out the ones that can be ignored:
DSA-2141-2, nss: This addressed the far-fetched TLS man-in-the-middle
scenario in January, which I already render irrelevant in other ways.
DSA-2142-1, dpkg directory traversal: Far-fetched attack on .deb
source-code packages that are in 3.0 quilt format.
DSA 2149-1: local DoS against dbus; not much of an attack. Carefully
crafted system messages could cause an instance of dbus to segfault, but
it'd launch another, so not a big deal.
DSA 2151-1 (still January): Set of OO.o bugs whereby malicious RTF
documents, XML filters, TGA (Targa) graphics files, MS-Word files could
'potentially execute arbitrary code' as the local user, which means
there's no exploit and may never be but you should get around to
upgrading on general principle. I didn't bother, but instead just gave
OO.o the heave-ho when LibreOffice came out.
DSA 2152-1, hplip: irrelevant because I don't use the SNMP discovery
DSA 2153-1, linux-2.6: Almost entirely bugs in drivers and subsystems I
don't use, except some minor information leakage and several local-user
DoS bugs, meriting eventually kernel upgrade when convenient but not
DSA 2164-1, shadow: Farfetched, and I don't use NIS.
DSA 2176-1, cups: Basically, DoSing the print daemon with malformed
files, in which case it segfaults and cupsd forks/execs another copy.
DSA 2200-1: iceweasel: Blacklisting several fraudulent SSL certs
issued by Comodo, which is nice but I'd already manually removed the
Comodo root cert.
DSA 2203-1: nss: Same Comodo certs, already dealt with locally.
DSA 2213-1: x11-xserver-utils (xrdb utility): So-called remote attack
if remote X11 is enabled (who does that?) or there's a 'rogue DHCP
server' on the local LAN issuing 'crafted hostnames' that might in some
farfetched scenario possibly stack-smash the xrdb utility that might in
theory escalate privilege. Farfetched, no hurry.
DSA 2217-1, dhcp3: 'Rogue DHCP server' could send DHCP client shell
meta-characters that could speculatively maybe some day lead to an
explotiable way to execute arbitrary code as the dhclient user.
Farfetched, and moreover irrelevant because I have
DSA 2240-1, linux-2.6: Various kernel bugs, all of them in drivers and
subsystems I don't use, except for one about video support for AGP
devices, which is irrelevant because my users aren't in group 'video'.
DSA 2264-1, linux-2.6: As above.
DSA 2265-1: perl: 'tainted' flag isn't always handled correctly, which
is serious but irrelevant because I don't rely on it for anything.
DSA 2267-1, perl: Perl's 'safe' module can sometimes be bypassed, which
is serious but irrelevant because I don't rely on it for anything.
DSA 2275-1, OO.o: Import filter for Lotus Word Pro is subject to
theoretical, speculative attack as the local user, but this is
irrelevant because I don't use Lotus Word Pro files.
DSA-2287-1, libpng. Several bugs, the most serious of which can be used
to make libpng grab lots of RAM, maybe fall over, and very speculatively
maybe some day accomplish more mischief. Not urgent.
DSA 2292-1, dhcp3. DoS: Remote attacker can make your DHCP client
program fall over. Bummer. Annoying, but hardly a security emergency.
DSA 2299-1, ca-certificates: Blacklisting Diginotar for incompetence as
a CA. Irrelevant for the same reasons as the Comodo issues.
DSA 2200-1, nss: Same.
DSA 2300-2, nss: Diginotar round 2. See above.
DSA 2303-1, linux-2.6: Mostly drivers and subsystems I don't use,
except two that are minor information leakage (to fix when convenient,
not an emergency) and a fascinating bug in TCP sequence number
randomisation that merits a kernel upgrade (again) when convenient but
not an emergency. (If your secret network transactions are accessible
merely by guessing packet sequence numbers, you aren't doing security
DSA 2303-2, linux-2.6: Fixes a nasty bug introduced by the prior fix.
(See? This is one reason to not be in a hurry except when haste is
DSA 2310-1, linux-2.6: Again, almost entirely drivers and subsystems I
don't use, excepting a couple of minor information leakage bugs. Merits
kernel upgrade when convenient, not an emergency.
DSA 2310-1, OO.o: Bugs in the MS-Word importer, which can cause OO.o
Writer to fall over but so far probably not much else.
Taking out the above 26 irrelevant or not-very-important updates, what
does that leave? One fairly serious glibc update, one fairly serious
PAM update, five updates each of iceweasel (Firefox) and icedove
(Thunderbird), and four updates to freetype: 16 package updates, plus
in some cases dependencies. So, _not_ 211 for the current year, but
rather _16_. Plus a kernel upgrade or two whenever convenient.
Also, because of my usage scenarios for Iceweasel and Icedove
(well-tuned NoScript and RequestPolicy for Firefox, simple HTML display
in Thunderbird), I actually ignore most upgrades with perfect safety
because I've addressed threat vectors at other levels.
Anyway, I hope you'll notice, _very_ few package upgrade result, if you
bother to read the DSAs and fix only what's worth fixing -- and if you
haven't installed the kitchen sink.
By the way, if you have numerous Debian machines needing package
updates, you do _not_ have them all fetch those in parallel. What you
do is have each host's apt subsystem use a shared local Squid cache you
establish for that purpose. That way, duplicate downloads are
Yes, things can and do do break badly in Ubuntu
upgrades, but at least
you only need to worry about these once every 6 months, not once every
As you see, you were misinformed. One just subscribes to the DSAs
(very low traffic announce-only mailing list), skim-reads the occasional
postings, ignores 95% as irrelevant, and acts on the remaining
dozen-plus packages per year.