Thank you for giving me the opportunity for a refresh 😛. And thank you for the very civilized conversation. I wish you a great day!

Sure, but even in those “few cases” Testing will get them soon.

Didn’t I allude to that with:

"it doesn’t receive the security backports like Stable does nor does it receive them as soon as Unstable/Sid does.

Though I do notice that the above sentence contains an error that is perhaps misleading. By definition, Unstable/Sid doesn’t receive security backports. Instead, the updates related to security are (usually) first received in Unstable/Sid. So, the above sentence tried to portray the following picture related to security:

Unstable/Sid ~ Stable >> Testing

I did read at some point that Testing may receive security updates later than stable, might be in those cases in which backports come straight from unstable.

That’s basically the point I’ve been making 😉.

I think the only remaining point of contention is the degree by which Stable does receive security backports right after Unstable/Sid does while Testing only receives it later.

Honestly, I don’t know the specifics. But Debian Testing’s wiki entry notes security concerns multiple times. And it’s all related to the fact that they don’t receive the security backports as soon as Stable receives them. The explanation related to security updates concerning the three distinct branches is covered in even more detail over here.

Basically, after I’ve read all of that, it’s clear as day that security is not a priority on Testing. And while band-aid solutions do exist, it’s simply not designed to be secure.

Found on the same page you cited from (even same paragraph):

“Backports are packages taken from the next Debian release (called “testing”), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)”

Read this for the most complete and comprehensive answer on the matter.

TL;DR: Like Fedora Atomic, it utilizes OCI images for its immutability. However, while Fedora Atomic combines this with libostree/OSTree for git-like management of your system, Vanilla OS (instead) keeps it relatively simple with just A/B partioning; which indeed is somewhat reminiscent to what’s found on Android.

Am upgrading from thinkpad to framework 16 with amd. Looking for distro reccommendations.

I would start looking at what’s supported to begin with.

I did the whole distro chooser quiz but didnt help much.

FYI, it isn’t as helpful as you would hope and hasn’t been updated in quite a while. Don’t be too much bothered with the result. But thanks for sharing some tidbits from the quiz as it helps the community to better help you!

avoid systemd

Are you sure you want this?

stable

Does this refer to unchanging (for long periods of time except for security updates)? Or, instead, for being less inclined to break after an update?

Is testing/unstable got wayland?

I don’t recommend going for (Debian’s/Devuan’s) testing (branch) as it targets a peculiar niche that I fail to understand; e.g. it doesn’t receive the security backports like Stable does nor does it receive them as soon as Unstable/Sid does. Unstable/Sid could work, but I would definitely setup (GRUB-)Btrfs + Timeshift/Snapper to retain my sanity.

are they reliable enough?

Depends on how reliable you want them to be. OOTB, their reliability definitely ain’t great, though.

If so what do I go with.

Consider answering all questions found in this comment and we’ll be better equipped to help you out with this.

Also hows the hardware comparability with framework i assume it wont be too bad to get set up.

Overall, it’s pretty good; epecially so on the supported distros.

Btw, you strike me as a (relatively) new user that doesn’t seem to have a good understanding on Linux yet. Is this correct?

TIL that Tails predates all the distros mentioned in my earlier comment and it also predates Whonix. So thank you for mentioning that! (It’s by about 3 years if anyone is wondering; Tails in 2009; Kicksecure, Qubes OS and Whonix in 2012; secureblue in 2023.)

So, the reason I didn’t even mention Tails, is because I (frankly) don’t regard it as a daily driver meant for general use. However, I might be completely wrong on this. So please feel free to correct me.

However, even if Tails would be excellent as a daily driver, the problem related to reliance on backports for security updates still persists. Furthermore, while its protection against forensics is arguably superior to anything else out there (including Qubes OS), its overall security model is not something special. Even if -for the sake of argument- we’d regard its security superior over both Kicksecure and secureblue, it still wouldn’t make a chance against Qubes OS’ security model.

May as well contribute my own 😜.

I’m an absolute sucker for exquisitely hardened distros. Hence, distros like Qubes OS and Kicksecure have rightfully caught my interest. However, the former’s hardware requirements are too harsh on the devices I currently own. While the latter relies on backports for security updates; which I’m not a fan of. Thankfully, there is also secureblue.

Contrary to the others, secureblue is built on top of an ‘immutable’ and/or atomic base distro; namely Fedora Atomic. By which:

• It’s protected against certain attacks.
• Enables it to benefit from more recent advancements and developments that benefit security without foregoing robustness.

If security is your top priority, Qubes OS is the gold standard. However, secureblue is a decent (albeit inferior) alternative if you prefer current and/or ‘immutable’/atomic distros.