That’s what I thought when I chose Tumbleweed some years ago, but I realize that I’ve never sought feedback for this opinion from more knowledgeable users.
So, at last, this overdue post.
My reasoning:
I’ll guess that ‘zero day vulnerabilities’ are likelier to be found in static systems with relatively few updates. An evil-doer discovers so-and-so vulnerability in infrequently-updated package ABC, can exploit it endlessly until the package is finally updated in the next point release. In a rolling distribution, in contrast, little remains static long enough to be at conquerable risk of becoming a zero day. Brand new vulnerabilities can emerge – as in the xz-utils backdoor – but a bad guy won’t have the time to exploit them before they’re superseded in the next update.
All the reasoning offered by openSUSEr Richard Brown in this blog post: https://rootco.de/2020-02-10-regular-releases-are-wrong/ Safety comes with attention from many eyeballs, and the latest-and-greatest will always be getting the most attention.
An opposing argument:
The knowledgeable user or administrator counts much more in making a system secure than the difference between a rolling or point release. An amateurish user like yours truly generally lacks the chops to really batten down the hatches on a system. A qualified SysAdmin configuring a Leap (or Debian, or Ubuntu) installation will know enough to make it more secure than Tumbleweed installed and configured by an amateur.
I cannot speak for other distributions in general, but Leap does not “wait for the next point release” and receives regular updates, especially security ones, via the update repositories.
When the kernel is involved, the patches are back-ported, meaning that the version might still be, say, 6.4.0.x to preserve the kABI and compatibility with installed apps but the effective code is comparable to that from Factory/Tumblweed as far as security is involved.
I update my Leap systems every week and there are almost always some (five to ten?) security patches.
No, I d not think my Leap lacks security compaired to Tumbleweed.
The difference between a fixed release and rolling release distribution is not the security. They are both secure.
The difference between them is the set of features and functions. Rolling release distributions get the newest upstream features and versions wheras fixed releases stay on an slightly older but stable release. The easiest way to explain and understand is to have a look at the KDE Plasma versions. Leap 15.6 ships KDE Plasma 5 which still gets security updates but no new features. Tumbleweed ships with Plasma 6, which is the newest developement branch with the newest features and functions.
Thanks very much for the feedback, OrsoBruno, hcvv and hui. Perhaps I might very well have standardized on Leap, but after 5+ years with Tumbleweed on this computer, I likely won’t switch now.