What do distributions like Qube OS, Subgraph, Tails, and Whonix have in common? Besides an emphasis on security and privacy, all of them are Debian derivatives — and, probably, this common origin is not accidental.
At first, this trend seems curious. After all, other distributions ranging from Slackware and Gentoo to Arch Linux all emphasize security and privacy in their selection of tools. In particular, Fedora’s SE Linux can be so restrictive that some users would rather disable it than learn how to configure it. By contrast, while Debian carries many standard security and privacy tools, it has seldom emphasized them.
Similarly, Debian’s main branch consists of only free and open source software, its contrib and non-free branches not being official parts of the distribution. With many security experts favoring the announcement of vulnerabilities and exploit code rather than relying on security through obscurity, the way that many pieces of proprietary software do, this transparency has obvious appeal.
Yet although the advantage of free software to security and privacy is that the code can be examined for backdoors and malware, this advantage is hardly unique to Debian. To one or degree another, it is shared by all Linux distributions.
Another answer might be that security distributions build on Debian because everyone else does. Of the several hundred active distributions listed on Distrowatch, about two-thirds are based on Debian or Ubuntu. Under these circumstances, the dependency on Debian could be no more than random chance.
However, looking at how Debian both assembles a release and operates on a daily basis, an even simpler answer suggests itself. Debian may not talk a lot about security, but then fish rarely talk about water, either.
In other words, security and privacy are built into Debian policy and procedure. From a strict perspective, Debian can be improved, since, like any distribution, it sometimes compromises for the sake of user convenience, but it remains one of the best foundations for improvement — and, very plausibly, the best.
This statement is undoubtedly controversial. However, to evaluate it properly, you have to understand that most discussion about security and privacy is based on reactive solutions such as virus protectors or SE Linux — that is, tools that detect a possible security or privacy breach, and then act to contain or eliminate it.
But to most security and privacy experts, reactive tools are secondary lines of defense. Much of their time is spent on what is sometimes called architectural security. Instead of designing reactions to intrusions, they try to design software so that intrusions do not occur in the first place.
To give a simple example, instead of running a virus scan, architectural security relies on design elements such as user accounts and permissions to ensure that viruses never get a chance to run in the first place.
In the same way, Debian relies on a detailed procedure to eliminate vulnerabilities. It does not ignore updates, bug-fixes, or backports, but, to a far greater degree than other distributions, Debian does its best to prevent them being necessary in the first place.
None of Debian’s procedure or policy is new, yet, despite Debian’s popularity, few users seem aware of how tightly controlled the distribution’s construction really is. However, you can catch a glimpse of Debian’s procedures in the Debian Policy Manual.
Debian is not the only distribution to have a policy manual about how to build packages and how they are processed through the project. None of the others, however, are nearly as complete. Debian policy details virtually every aspect of building a package, from where libraries, log files, and help should be placed in the file hierarchy, to the types of scripts that can be included in a package and how to add a package to desktop menus. These details are reviewed first by package maintainers, then by the Debian security team. As a result, by the time a package enters the Stable branch for a general release, it is almost guaranteed to be high-quality.
Mistakes do happen, of course, even with such rigorous planning. But when they do, Debian is ready with an equally thorough explanation of what is expected of maintainers when a bug is reported in the Debian Maintainer Reference. The Maintainer Reference covers such topics as how to test a package and report a bug, when confidentiality about problems should be considered, and the procedure when a bug is security-related and needs to be added to the Debian Tracker, the database of reported bugs.
Sometimes, fixing a bug may require working with non-Debian projects, but, overall, this structure allows Debian to respond both quickly and thoroughly to problems.
From an architectural perspective, Debian offers a consistent structure that minimizes bugs (so far as that is possible) and responds quickly when they do occur. Although Debian cannot guard completely against human error or the interactions of one piece of software with another, it provides what is almost certainly the most solid foundation for improving security and privacy that is likely to be available.
Debian’s suitability for security and privacy improvements does come at a price. Notoriously, Debian Stable, the branch for the current release, is often several versions behind other distributions. For example, while Ubuntu 16.10 uses a 4.8 kernel, Debian stable is still using a 3.16 kernel.
For users who want the newest possible software, this lag is often unacceptable. In fact, many users and derivative distributions, including Ubuntu, borrow from the less thoroughly vetted Debian Testing and Unstable in order to offer more recent software that developers are likely to get.
However, for the purposes of security and privacy, newness is not a priority. If anything, newer packages are more apt to have vulnerabilities than older, frequently patched ones. From this perspective, Debian’s stability remains as ideal a starting point for improvements.
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2020
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Anticipating The Coming Wave Of AI Enhanced PCs
FEATURE | By Rob Enderle,
September 05, 2020
The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
August 14, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.
Advertise with Us
Property of TechnologyAdvice.
© 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this
site are from companies from which TechnologyAdvice receives
compensation. This compensation may impact how and where products
appear on this site including, for example, the order in which
they appear. TechnologyAdvice does not include all companies
or all types of products available in the marketplace.
