> You can't attack Debian like this without providing a few examples.
It's not specific to Debian. They're packaging a massive ecosystem of software nearly entirely not developed or significantly changed by Debian and are assembling an operating system out of it. Many of the projects they package have quite poor attitudes when it comes to privacy and security, including core components of the base OS. It's mainly criticism of projects including glibc, systemd, GCC and GNOME which is worse when using an OS lagging so far behind backporting a subset of the vulnerability fixes and doing the opposite of attack surface reduction / hardening with how they integrate most of it.
> This is just an empty accusation. Have you seen serious security problems in Debian with any noticeable consequences recently?
Yes, it has atrocious privacy and security including being far behind operating systems like macOS in deploying app sandboxing, a modern permission model, isolation throughout the OS, modern exploit protections and memory safe languages. Debian is focused on packaging and integrating software, not developing it. There's nearly zero work on overall privacy and security work. Backporting patches for issues assigned CVEs is not systemic work on improving privacy and security. Debian is not making the major ongoing advances in privacy and security which have happened on mobile and are happening at a slower and more limited pace for macOS. QubesOS largely exists to work around the extreme insecurity of traditional desktop operating systems. It also exists to work around the insecure architecture of the Linux kernel which is increasingly behind macOS and especially iOS doing increasingly sophisticated kernel hardening with substantial work done across the kernel along with moving more code into userspace. If anything, Linux is moving more code into kernel space where it has no isolation, particularly on traditional distributions simply enabling all the new features/functionality rather than doing more and more attack surface reduction and hardening like Android/ChromeOS (which are still falling further behind iOS in this area).
It's not specific to Debian. They're packaging a massive ecosystem of software nearly entirely not developed or significantly changed by Debian and are assembling an operating system out of it. Many of the projects they package have quite poor attitudes when it comes to privacy and security, including core components of the base OS. It's mainly criticism of projects including glibc, systemd, GCC and GNOME which is worse when using an OS lagging so far behind backporting a subset of the vulnerability fixes and doing the opposite of attack surface reduction / hardening with how they integrate most of it.
> This is just an empty accusation. Have you seen serious security problems in Debian with any noticeable consequences recently?
Yes, it has atrocious privacy and security including being far behind operating systems like macOS in deploying app sandboxing, a modern permission model, isolation throughout the OS, modern exploit protections and memory safe languages. Debian is focused on packaging and integrating software, not developing it. There's nearly zero work on overall privacy and security work. Backporting patches for issues assigned CVEs is not systemic work on improving privacy and security. Debian is not making the major ongoing advances in privacy and security which have happened on mobile and are happening at a slower and more limited pace for macOS. QubesOS largely exists to work around the extreme insecurity of traditional desktop operating systems. It also exists to work around the insecure architecture of the Linux kernel which is increasingly behind macOS and especially iOS doing increasingly sophisticated kernel hardening with substantial work done across the kernel along with moving more code into userspace. If anything, Linux is moving more code into kernel space where it has no isolation, particularly on traditional distributions simply enabling all the new features/functionality rather than doing more and more attack surface reduction and hardening like Android/ChromeOS (which are still falling further behind iOS in this area).