Why is there a separate package repository for Debian security updates?

Debian has a distribution channel that provides security updates only so that administrators can choose to run a stable system with only the absolute minimum of changes. Additionally, this distribution channel is kept somewhat separate from the normal channel: all security updates are fed directly from security.debian.org, whereas it is recommended to use mirrors for everything else. This has a number of advantages. (I don't remember which of these are official motivations I read on Debian mailing lists and which are my own mini-analysis. Some of these are touched on in the Debian security FAQ.)

  • Security updates are spread immediately, without the delay incurred by mirror updates (which can add about 1 day of propagation time).
  • Mirrors can go stale. Direct distribution avoids that problem.
  • There is less infrastructure to maintain as a critical service. Even if most of Debian's servers are unavailable and people can't install new packages, as long as security.debian.org points to a working server, security updates can be distributed.
  • Mirrors can be compromised (this has happened in the past). It's easier to watch a single distribution point. If an attacker managed to upload a malicious package somewhere, security.debian.org could push a package with a more recent version number. Depending on the nature of the exploit and the timeliness of the response, this could be enough to keep some machines uninfected or at least warn administrators.
  • Fewer people have upload rights on security.debian.org. This limits the possibilities for an attacker trying to subvert an account or machine in order to inject a malicious package.
  • Servers that don't need ordinary web access can be kept behind a firewall that only allows security.debian.org through.

I'm pretty sure Debian puts security updates in the regular repo as well.

The reason to have a separate repo that only contains security updates is so you can set up a server, only point it at the security repo, and automate updates. Now you've got a server that is guaranteed to have the latest security patches without accidentally introducing bugs caused by incompatible versions, etc.

I'm not sure if this exact mechanism is used by other distros. There's a yum plugin to handle this kind of thing for CentOS, and Gentoo currently has a security mailing list (portage is currently being modified to support security-only updates). FreeBSD and NetBSD both provide ways to do security audits of installed ports/packages, which integrate well with the built-in update mechanisms. All told, Debian's approach (and probably Ubuntu's, since they're so closely related) is one of the slicker solutions to this problem.


It helps with two things:

  1. safety - first get your security fixes, then you are at lower risk while updating the rest
  2. security updates should be stored at a high security level, as you tend to rely on them to protect the rest of your system, so it could be that this repo has stronger security controls to prevent compromise

there could well be other reasons, but those are the two I would find useful