Don't they back port security fixes to stable branch too? I'm a testing user, so I don't follow Stable's package updates very closely.
I'm not against only back porting serious security fixes only (since both time and resources are limited, and a good trade-off is always the best choice). Just it did occurred to me that I didn't wrap my head around the details of this particular subject.
When you update Debian to a new release, you suddenly get a huge influx of changes: new Firefox, new DE, new bash, new kernel, new email client, etc. Everything gets updated at once.
It's likely that more than one thing will break your workflow, and you'll spend a significant amount of time dealing with all of those at once.
Arch just spreads that over time. Instead of having to deal with ALL of these things at once every 6 months (or every two years), I deal with tiny changes very often. It's very unlikely that both the kernel AND Firefox will have changes that affect me on the same day.
I also feel it's more sustainable to deal with small change once every couple of weeks, than huge changes twice a year. Arch is stable in that the changes per day ratio is constant over a long period of time, while's Debian is 0 changes for months, and then hundreds of changes at once.
I do think long term nix/guix will be the trend setters, but till then rolling release is where its at for some of us.
I also just have to say, once you get used to running the latest of everything, the pain of a more traditional distro becomes much more noticable.
One thing, all of this really makes me want to try gentoo again for a bit.
Why do you think so? We’ve never had such an easily accessible device used by so many people that routinely run untrusted code and is basically full of overly personal information and data. Yet we seldom hear security implications.
I’m no security researcher but recently taken a dive into the topic and the state of the art security research is with mobile OSs and iPhones and to a degree android (GrapheneOS itself) does a great job at it.
These constitute fairly average years (within a factor of 2) so you can reasonably expect that a similar number of defects will be discovered in their currently shipping versions by the end of the year.