Is it ok to casually browser the web? Can i get hacked more easily while using Debian?
For frozen distributions such as Debian, package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes (particularly for less popular software) do not receive a CVE ID at all and therefore do not make it into the distribution with this patching model. As a result, minor security fixes are sometimes held back until the next major release.
4 Likes
Debian pushes important security updates regularly on Debian stable. My understanding is that the more niche a program is and/or the smaller the attack surface area, the less likely it will be patched in of Debian.
If you are using Chromium or Firefox ESR from the Debian repo, these receive security patches regularly/automatically when you check for updated packages. Here is a list of security updates, with the most Chromium/Firefox ESR patches happening last week:
Alternatively, you can use Flatpak (or snap) to run the browser in a secure container.
1 Like
In my non-expert opinion, you can achieve adequate and above average security relative to most common threat models using a stable release like Debian Stable, Ubuntu LTS or RHEL, if your other habits and choices are reasonably prudent.
(I think this has become even more true in recent years with technologies like distrobox, flatpak, snap, and containers in general, which to some degree have decoupled application and OS updates)
I personally think that many people tend to get tunnel vision and/or exaggerate the practical impact of release cycle/cadence. I’m not saying it is a non-issue (and I personally prefer a faster update cadence), I just think that it’s not as black and white, and in the bigger picture, not one of the most impactful factors or decisions for most peoples’ threat models. I’ve used rolling releases, lts releases, and everything in between, I do not personally feel meaningfully more or less secure on one or the other.
With that said, Debian stable would not be one of my personal top choices for a daily driver desktop distro. But that is a personal preference mostly unrelated to privacy & security.
5 Likes
If you have to use a Debian based distro, you may want to consider Kicksecure, depending on your threat model
If you have already installed Debian, you can even turn it into Kicksecure
Debian Stable is considered one of the most secure Linux distributions, precisely because they don’t update to the latest shinny version of anything unless it’s for security patches.
1 Like
Keep in mind that Debian doesn’t offer Out-of-the-box support for Secure Boot (unlike Fedora, openSUSE, Ubuntu) :
“While Debian does support Secure Boot, you’ll have to enroll your own MOK certificate and sign the kernel yourself. That also means you cannot install Debian without first disabling Secure Boot.”
This can’t be true. I installed Debian 12 stable with secure boot enabled. After installation i checked and secure boot was enabled and active for my installation.
2 Likes
Yes, I can confirm that Debian has secure boot no special action needed
1 Like
Sorry, my source (see above) may be outdated…
How did you do this, please ?
Generally you check this in the BIOS if it’s enabled. For my part, I am on Surface, so if Secure Boot is disabled I have a big Red warning on boot
It is technically less secure, but with good opsec and basic security measures, I would say you’re very safe, definitely moreso than the average Windows user.
For all desktop Linux installations, I recommend installing AppArmor, using rootfs encryption, using sudo and locking root, getting software from trusted sources (developers, Debian repos, verified Flatpaks), and using a browser with a content blocker like Firefox and uBlock Origin.
A lot of Debian stable packages get security backports so I wouldn’t worry. I would moreso think about if stable is really what you want for your use case or if you would prefer testing. Either way, Debian stable is definitely fine to use, and it only isn’t recommended by Privacy Guides because it doesn’t represent the “ideal”.
For me, just having Secure Boot enabled and installing Debian functions perfectly fine.