How quickly does your Linux distro implement security updates?

Which distro do you use, and how quickly does it implement security updates in general and for your browser in particular? I’d be particularly interested in hearing how satisfied you are about this if you are an enterprise user with subscriptions, because I have no idea about how fast their updates are!

Often I speak with pride about how I believe Linux to be far more secure than Windows. It’s been a long time since I looked at Windows and its security model. With Linux / open source I believe security updates generally come very quickly due to many developers taking pride in the quality of their work and striving to sustain high standards. I still find this whole area, and the issue of repos implementing security updates fascinating though!

(This discussion has been prompted by DL Episode 256 and my keeping an eye on browser updates on Debian (Stable and other versions), Fedora 35 and CentOS Stream 9. In particular it’s been six days since Mozilla rolled-out it’s latest Firefox ESR security updates, and CentOS Stream 9 repos still haven’t updated. I find this very concerning.)

1 Like

When i installed the new version of Mint, and got the first updates everything went fine except firefox. It wouldn’t download and stalled the update process. I had to download and install the newest version from the site.
So i’m keeping an eye out for updates via the manager for firefox.
Everything else goes fine afaik now.

1 Like

Thanks for this. The normal Linux Mint 20.3, I think, based on Ubuntu?

Would be interested to hear from Ubuntu users as well of course, as well as other distros :slight_smile:

I don’t know exactly how fast they happen because I don’t monitor it closely, but openSUSE tends to give me updates pretty quickly on both Leap and Tumbleweed. I also see the security advisories on the mailing list. I think that Leap is likely going to be more security focused than Tumbleweed based on the fact that it is based on SLE which is more security focused.

1 Like

I haven’t looked to see if the updates are general application updates or are security specific, but I see updates every day (Garuda Linux).

1 Like

Shortly after writing my reply, my update manager nudged me with an update for… Firefox! :raised_hands:
And yep, it’s the ubuntu based distro. Like i said, i seem to have some sort of addiction when it comes to this os… :laughing:

1 Like

Every time DL has had a representative of SUSE on, I think of you @CubicleNate :slight_smile: They always impress me but the one time I tried Tumbleweed it didn’t work in my VM for some reason. I’m guess I just did it on an off day, and given it updates so often, really should try it again!

Thanks for your feedback. I find their model quite fascinating too, just as I am currently quite intrigued with CentOS Stream and have been since it was first released. It seems to be an acquired taste though :slight_smile:

1 Like

I’ve heard only good things about Garuda Linux so far, and this continues the good news. Thanks for sharing it :slight_smile:

1 Like

Lol - well Mint was the first distro I tried after years away from Linux, mostly because it had a reputation for stable desktop environments (at the time XFCE, Cinnamon and I can’t remember what else. MATE perhaps?) and it was the uncertainty about DEs prior to that with Gnome 3 under development, Unity going in its own direction with Mir, I think it was called at the time, rather than Wayland, and KDE 4 being new and flaky - at least that’s what I seem to remember from about 9-10 years ago, I think.

I switched pretty quickly to Linux Mind Debian Edition, but got cold feet with it because it was based on Debian Testing, and Debian said Testing was potentially the slowest stream for security updates, with Stable and Unstable both being faster, that’s what brought me to Debian Stable very soon after Mint.

I was a little suspicious of Ubuntu and Ubuntu based distros at the time, because they seemed to be diverging from the mainstream with Mir, though I know a lot of folks did like Unity a lot.

I first heard of Garuda from @dasgeek.

I recently replaced my gaming computer and I tried several distro’s, but Garunda was the only one that worked out of the box with the crappy realtek wifi chipset & video card. The bonus with the video card is that vulkan also worked out of the box. So, I kept using it. My previous experience with Arch based distro’s was not as good. But now I’m hooked.

One of the best things that I like about Garuda is that I can boot to different snapshots (btrfs) from the grub menu. It just doesn’t get any easier than that.

I ran MX linux with Xfce for a couple of years. It was dead-simple and reliable for me. I don’t care for Gnome, just a personal thing for me.

I run Debian 11 on my servers/VMs, Solus on my laptops, and Garunda on my gaming computer. I use Plasma on Garuda and Solus. Both have been excellent. There are a lot of good distro’s out there, though.

1 Like

I’m strongly of an opinion that if the thing is not broken, do not fix it. Yes it is true that by updating and upgrading you can get rid of known security issues, but updating and upgrading also introduces new security issues. It is often these new issues that cause big problems and are covered in the news. In my opinion if your stuff works do not update it. It is more secure to fix it only when it is broken. Of course internet hygiene helps too and the issue is most often between users head and keyboard. Also the fixes may ruin your performance. Like the Intel spectre and meltdown vulnerability. Just don’t click shady links in email and install shady software from internet. Carefulness brings you a long way.

1 Like

There’s a bit of truth to that but for argument’s sake, lets say every security fix introduced a new security hole. You’d still be exchanging widely known vulnerabilities for one’s that few if anyone knew about.

1 Like

I generally hold this too and don’t like everything updating all the time, meaning with feature updates, which I think are more likely to introduce more bugs than patching security problems that have been found. That’s why I use Debian Stable. When it comes to security problems though, if they’ve been reported, with fixes also made, I prefer to update and take my chances. Admittedly some years ago when mostly on Windows, I didn’t patch it much - very risky, I know, but that’s because I’d repeatedly suffered breakages from Microsoft. This continued from Windows 7 through to 10 inclusive. I am actually finding Windows 11 Updates much more reliable and tend to apply them. Partly I think Continuous Integration and Continuous Delivery has been successfully mastered on many projects, and so I fear updates a lot less now than I used to. This coming from an era when Windows updates happened once every few years, and broke pretty-much all previous applications that didn’t have new versions for the new Windows - lol!

This is exactly the problem. When a vulnerability is published, but not fixed, I think that’s quite a risky situation, hence my curiosity about how quickly repos implement and roll-out security updates. Before they’re known, perhaps they are less likely to be exploited?

I tend to agree except for security updates. There are some lessons you just don’t want to have to learn the hard way.


Slackware and Mageia here, Firefox ESR is recent.

Slackware has a small set of packages and usually gets security fixes as they come but the user is in charge here, no popups, no GUI for that.

Mageia is also not slow in applying security patches AFAIK. For the newcomers there is already the mgaapplet that informs you of updates.

I know Debian was usually spot on with security, especially stable of course and sid.

@ak2020 Btw Linux Mint Debian Edition had two editions, one based on testing (the chaotic one) and one on stable (the one that survived). I think Debian testing was always more usable then Mint’s take on testing.

1 Like

Regarding updates, i’d rather have a fully updated system than to have to pick and choose which update to apply. It’ll always be a cat and mouse game between fixing problems and keeping them secret. (like zero days, for instance. There’s a whole market out there.)
So i’ll update as soon as it’s possible.
My 2 cents.

1 Like

Is there a reliable way of counting “security” vs other updates without physically reading the update output by hand and looking for the word “security”, are they even marked?

Another question is… say I have security patch abc123 which has just installed, how would I tell how quickly I got it? Maybe I got it soon, maybe not, how would I know?

How quickly does your Linux distro implement security updates? No Idea but I’m sure I get them when they are ready.

1 Like

Slackware was the first Linux distro I used and I remember feeling a little terrified if I forgot to select all of the correct packages when choosing what to install, because it would have been far too daunting for me to add new packages manually after the installer had completed. This is from the mid-90s when a 56K modem was considered whizz-bang kit, if I remember correctly lol, and I’m not sure if repositories existed - at least maybe not with automated download and install they way we have now. I’m glad Slackware’s quick to make new packages available for its expert users. I am guessing they’re basically zipped tarballs?

I remember Mageia and the distro(s) it was derived from going way back too. Glad they’re on top of this all.

Maybe it’s just me, but I always seem to feel more inclined towards community efforts (like Debian) than corporate ones, like Ubuntu, or anything-much derived from it, even if it’s a Linux-friendly corporation like Canonical. Hence my preference for Debian over Mint, or at least Linux Mint Debian Edition rather than vanilla Mint (Ubuntu based).

I’m with you on this 100%. With Debian Stable, pretty-much every update is security only so I tend to patch updates as soon as I can too. It’s the known security problems that have fixes implemented but haven’t yet been rolled-out to repos that I’m finding myself worried about at the moment!

I think the security updates are registered in a national database, whereas other updates are not.

This looks useful:

As far as I understand, I believe it draws on:


NVD/NIST is the correct national database if you are looking the CVE details about the vulnerability.

1 Like

Firefox has had two updates recently in quick succession. Glad to see Debian Stable has implemented the security patches and made them available on repos. Fedora seems to still be lagging, surprisingly. I wonder how other distros are doing on crucial browser updates?