Wouldn’t it be better to use backports? Testing doesn’t always get security updates if a package is problematic and can’t migrate from sid for a while.
That’s another option, but it’s a bit more cumbersome having to cherrypick which exact backports you need for your specific hardware. Also, if you then for some reason don’t upgrade to the next stable release when it comes out, backports get abandoned after 1 year instead of the customary 3 years for the rest of the oldstable release.
From my experience, running trixie/testing the past year or so on a minipc with hardware that was a bit too recent for bookworm, I can say that the cadence of security patches has been about the same between bookworm and testing.
And let’s be honest, on a desktop system your main attack surface is going to be the software you go online with, i.e. the browser. So if you make sure that is kept up to date (flatpak, vendor repo, …) that already goes a long way.
Wouldn’t it be better to use backports? Testing doesn’t always get security updates if a package is problematic and can’t migrate from sid for a while.
That’s another option, but it’s a bit more cumbersome having to cherrypick which exact backports you need for your specific hardware. Also, if you then for some reason don’t upgrade to the next stable release when it comes out, backports get abandoned after 1 year instead of the customary 3 years for the rest of the oldstable release.
From my experience, running trixie/testing the past year or so on a minipc with hardware that was a bit too recent for bookworm, I can say that the cadence of security patches has been about the same between bookworm and testing.
And let’s be honest, on a desktop system your main attack surface is going to be the software you go online with, i.e. the browser. So if you make sure that is kept up to date (flatpak, vendor repo, …) that already goes a long way.