Why are LTS distributions that freeze packages for a while and backport security updates not notorious if they are clearly less secure? Such distributions, which have been preferred for many years on various systems in the enterprise, on servers and desktops, would have a bad reputation if they were significantly less secure and more vulnerable, and they would be replaced by distributions that are always updated. Maybe they have bad reputations but I just don’t know it.
There is a massive difference between server and desktop usage.
Servers and desktops have entirely different workloads. The LTS model is okay when you have a server running basically one specific program that you set up and don’t want to change.
A desktop workload typically involves regularly running enormous amounts of untrusted code (e.g. in web browsers, email clients, etc.), they typically require support for the latest hardware, and they typically run a much larger variety of software all with their own dependencies compared to a server. Most users also want the latest features, although not everyone does.
All of this significantly increases the attack surface of desktop, and is really incompatible with the LTS model.
There are rarely notorious Linux desktop security breaches because the market share for desktop Linux is very small, and the number of those users using LTS is even smaller. This speaks little about its actual security though, only its popularity.
There are rarely notorious Linux server security breaches because Linux servers, LTS or otherwise, are quite secure. Mainly by virtue of having a very limited attack surface.
6 Likes
I agree with the distinction about differences between server and desktop use-cases that @jonah and @Lukas made.
I would only add that (in my opinion) the difference in security between LTS and non-LTS feels pretty exaggerated and overstated to me.
Its not that its wrong to say there are some security downsides to an LTS model, its just that in practice its more nuanced than it is often presented.
Using Ubuntu LTS as an example. While the release cycle is every 2 years, consider these mitigating factors:
- Both Ubuntu LTS and Debian have dedicated security teams who’s role is to stay aware of and backport security fixes. Not every security relevant fix will be correctly labeled as such, so some might fall through the cracks but I’d assume the vast majority of serious vulnerabilties are patched.
- Something that rarely gets acknowledged in the LTS vs non-LTS conversation is that application updates and system updates are becoming more independent from one another (because of package formats like snap and flatpak). An LTS distro no longer necessarily means outdated applications, because they can be updated independently along with their dependencies. Ubuntu for example ships Firefox as a Snap package. One of the benefits of snap and flatpak is you can run the most up to date applications regardless of whether you use an LTS distro a rolling release or something in between.
- In the case of Ubuntu LTS, there is the HWE programs which provides updated kernel versions (and some other things) to LTS releases.
2 Likes
If we get to the point where desktop applications are entirely Snaps or Flatpaks, LTS could start to make a lot more sense.
5 Likes
Agreed. At that point, I think either LTS base + up to date snap/flatpak apps or rolling atomic base system + up to date snap/flatpak apps could be a solid choice. And the difference between the two approaches would be much less significant.
1 Like
The issue on the desktop side of things in that case would still probably be hardware. Patches, performance, and compatibility.
1 Like