The correct way with a new computer with recent hardware is to install Debian Testing to get a recent kernel, firmware and mesa and stuff, but put the code name of the next release into your apt config instead of “testing”. So then when the next version is released, you can just stay on that, now stable, version.
Trixie just got released today though, so for the time being you can probably get away with using that.
Wouldn’t it be better to use backports? Testing doesn’t always get security updates if a package is problematic and can’t migrate from sid for a while.
That’s another option, but it’s a bit more cumbersome having to cherrypick which exact backports you need for your specific hardware. Also, if you then for some reason don’t upgrade to the next stable release when it comes out, backports get abandoned after 1 year instead of the customary 3 years for the rest of the oldstable release.
From my experience, running trixie/testing the past year or so on a minipc with hardware that was a bit too recent for bookworm, I can say that the cadence of security patches has been about the same between bookworm and testing.
And let’s be honest, on a desktop system your main attack surface is going to be the software you go online with, i.e. the browser. So if you make sure that is kept up to date (flatpak, vendor repo, …) that already goes a long way.
The correct way with a new computer with recent hardware is to install Debian Testing to get a recent kernel, firmware and mesa and stuff, but put the code name of the next release into your apt config instead of “testing”. So then when the next version is released, you can just stay on that, now stable, version.
Trixie just got released today though, so for the time being you can probably get away with using that.
Wouldn’t it be better to use backports? Testing doesn’t always get security updates if a package is problematic and can’t migrate from sid for a while.
That’s another option, but it’s a bit more cumbersome having to cherrypick which exact backports you need for your specific hardware. Also, if you then for some reason don’t upgrade to the next stable release when it comes out, backports get abandoned after 1 year instead of the customary 3 years for the rest of the oldstable release.
From my experience, running trixie/testing the past year or so on a minipc with hardware that was a bit too recent for bookworm, I can say that the cadence of security patches has been about the same between bookworm and testing.
And let’s be honest, on a desktop system your main attack surface is going to be the software you go online with, i.e. the browser. So if you make sure that is kept up to date (flatpak, vendor repo, …) that already goes a long way.