Patching has always been a core, baseline requirement for secure computing systems, so it’s probably not great that we don’t talk about the meaningful differences between distributions when we recommend them to new users.

We cannot treat Linux distributions as if they all offer the same level of security. Distributing software after its maintenance is discontinued puts users at risk.

Ubuntu provides two major security improvements over Debian, but keeps one serious flaw.

First, Ubuntu clearly documents that there is a “main” set of packages they will maintain, and a second (much larger) “universe” set of packages for which they do not promise maintenance during a release. They set clear expectations for security coverage.

Diagram of Debian and Ubuntu main and universe collections

Second, Ubuntu publishes a new release every six months. Those releases include updates to the “universe” component, so that security issues get patched at least twice per year. That’s not great, but it’s better than every two years.

The flaw is that the “universe” collection is enabled by default, so most users never learn the difference between the two, and aren’t making informed decisions about their security. Most users believe Ubuntu is one collection with complete security coverage.

Red Hat and Fedora approach the same problem very differently.

Fedora publishes a new release every six months and maintains it for just over one year. This schedule keeps the release aligned with most upstream projects, so that Fedora can ship bug fixes provided by upstream projects.

Red Hat develops a distribution based on Fedora, and they, too, manage security by cutting the size of the distribution down to a size that they are staffed to maintain.

EPEL also extends the core system with a larger collection of packages, similar to Ubuntu’s “universe” repository component. This set is community maintained, so it doesn’t necessarily have the same SLA that RHEL does, but critically, that collection is opt-in. EPEL users make an intentional decision to use the community-maintained collection.

Diagram of Fedora, RHEL, and EPEL

Patch coverage is not the same among these systems. Fedora has excellent coverage because it generally isn’t distributing software beyond its upstream maintenance window. RHEL has excellent coverage because Red Hat is staffed to continue maintenance of a smaller package set, independently. Many users will deem Ubuntu’s interim releases acceptable, and informed users of their LTS releases can disable the “universe” repo. The “main” repo will serve many users’ needs and offer good security coverage. However, users should understand that the default configuration of Ubuntu LTS will offer them an enormous body of unmaintained and potentially insecure packages, and that problem will also affect systems derived from Ubuntu LTS, like Mint and Zorin. Debian provides users with the fewest tools for mitigating vulnerabilities, because they continue to distribute software beyond its upstream maintenance, and they don’t differentiate packages that will get security patches from the ones that will not.