> you would count on them to fix it immediately, push out the automatic update and go on with your life.
Not only do you get security updates for your distro with the vast majority of Linux distros, but you also get it for all your 3rd party software, using the same system mechanism.
They may not push the updates automatically, (you can of course set it that way), but some of us still want to be in control of what gets installed on our machines
That's not to say it can't be improved, but the situation isn't quite as bad as you are painting it, ie there are mainstream distros that come hardened by default and security patches are regularly backported.
I'd argue that macOS is also technologically less secure than modern Windows, yet its users are in no more danger than Windows users are, (despite its theoretically security), because security depends on a lot of factors including the user culture, market share etc. i.e. Linux doesn't have a culture of downloading executables from random websites for one.
I'd guess most distributions feel like they're providing an adequate level of protection for their users as of now, without introducing too much friction. Once that is no longer the case, it's easy to turn on a few more knobs, the software is already there.
The 3rd party software is huge problem, actually. When you do apt-get or install using Ubuntu App Store it gives a false sense of security to novice user that things are safe. This is even more problematic because there are so many things one needs to download on default desktop to be on par with default Windows. The File Manager UI, for example, lacks too many features and user must investigate alternatives and either assume that everything is all right or deeply examine security vulnerabilities for each available option. Same goes for basic things like text editor or calculator and so on.
Why is getting the latest security updates giving a false sense of security exactly?
> The File Manager UI, for example, lacks too many features and user must investigate alternatives and either assume that everything is all right or deeply examine security vulnerabilities for each available option. Same goes for basic things like text editor or calculator and so on.
This is where you're being unfair, the notion that the default file manager is not good enough is subjective, it is plenty good for most people.
(Finder for macOS also lacks many features, yet many people never bother with alternatives).
Moreover, if you do need to find a replacement, if it is in the official repos, it probably means it is popular enough to be solid.
As for things like an editor,, are you telling me that Notepad is more featured than gedit?
> Why is getting the latest security updates giving a false sense of security exactly?
Because in quite a few distributions you don't get security updates reliably. For example Debian Stable excludes most WebKit-based libraries from their update policy.
So users of browsers like Midori and Epiphany or E-Mail-Clients like Evolution on Debian Stable, currently end up using a WebKit library that hasn't been updated in more than a year.
The same issue applies to Ubuntu and most of its derivatives as well. E.g. Ubuntu 14.04 users get a WebKitGTK+ library which hasn't been updated in almost a year.
Of course, the user doesn't get a warning dialog when he installs applications which rely on those outdated and insecure libraries.
Ubuntu users also shouldn't rely on packages from the Universe repository (which are by far the most packages), if they care about security. Those packages are community maintained and often don't get a single update in years. In the past they didn't even update Chromium reliably.
This is why I think Rolling Release is the only viable model of Linux distribution in desktops. Instead of overloading a team of security experts expecting them to backport every security change to the stable version of a package, they simply follow upstream releases, build it and make sure that isn't horrible broken (however, they can't be sure that the upgrade path is seamless for every possible configuration).
You. Are. Not. Supposed. To. Install. Debian. Stable. On. A. Desktop. Machine.
How many times will this have to be repeated? Stable is for servers. If you're running webkit based libraries on your server you have other issues.
For desktops, both Testing and Unstable are the valid options.
that's like ... your opinion. the way you try tu make it look as if it's a widely accepted best practice among Debian users is not cool. Debian stable is a perfectly viable distribution for desktop use.
Except... it is? Having spoken with quite a few people on #debian, hell, even a simple google search agrees with that. Don't use stable unless you have a very old machine. Using stable brings you... stability and three years old packages. Using testing brings you stability and six months old packages. Using unstable brings you stability and sometimes fun things and one week old packages.
For the Personal Anecdote Bonus Points, even sysadmin friends that swear by stable would tell me to use testing for a desktop distro.
People over #debian or your sysadmin friends are entitled to their own opinions and not representative of Debian users other than themselves, and for every random recommendation for not using stable you can find another random one about dangers of using testing or unstable.
If you check the Debian web site you'll see stable is the only one which is offically supported and recommended by the project and there is no distinction for "server" or "desktop" use cases. Had stable was non-suitable as a desktop OS you can be sure Debian developers wouldn't bother releasing and supporting thousands of desktop/graphical packages with the stable release.
In the end stable, testing and unstable have all their pros and cons, strong and weak areas and some are more suitable for some use cases. That Debian stable is only for servers and it is not a good desktop OS is a myth that needs to die. Stable is a damn fine desktop OS. Everyone is free to use whatever they deemed best for their use but when you post blanket statements like "You. Are. Not. Supposed. To. Install. Debian. Stable. On. A. Desktop. Machine." and "Stable is for servers" on a public forum you are spreading misinformation and you should just stop.
Not only do you get security updates for your distro with the vast majority of Linux distros, but you also get it for all your 3rd party software, using the same system mechanism.
They may not push the updates automatically, (you can of course set it that way), but some of us still want to be in control of what gets installed on our machines
That's not to say it can't be improved, but the situation isn't quite as bad as you are painting it, ie there are mainstream distros that come hardened by default and security patches are regularly backported.
I'd argue that macOS is also technologically less secure than modern Windows, yet its users are in no more danger than Windows users are, (despite its theoretically security), because security depends on a lot of factors including the user culture, market share etc. i.e. Linux doesn't have a culture of downloading executables from random websites for one.
I'd guess most distributions feel like they're providing an adequate level of protection for their users as of now, without introducing too much friction. Once that is no longer the case, it's easy to turn on a few more knobs, the software is already there.