I vote we all move to Red Star Linux with CDE.

Comparing Debian with 1000 active developers, to Mageia... How many are there? 3?
Debian has security update when there is a problem to fix. That's the whole point. BSD distros go for months without any new security holes, therefore no updates.

Mageia Control Center is a nice piece of software, actually useful for controlling basic desktop/OS functions through graphical UI while not being either over-simplified or over-complicated. And it still looks nice by design. Been that way since Mandrake (which preceded Mandriva). Also it's openEID support (for whom it matters) is excellent. Ubuntu or Debian are metaphorically not even in same building by it's user-friendliness, not to mention being anywhere close. When it comes to openEID (national ID authentication/signing) official support (Ubuntu by government order) is worse than Mageia's (which works OTB). It's closest to coherent experience some Linux desktop distro can offer - Ubuntu can sit its multiple haphazard config utilities in itself, it still does not lose the impression of software puzzle sewed together.

These folks who lament about it's supposed lack of "security" - want security go use OpenBSD or shut up. Desktop Linux is last place to search it from. Measures promoting user-friendliness and convenience run counter to common security practices. You can add dozens or hundreds of layers of code over potential holes but it's still patch upon patch masquerading as security. More piled-down patchwork code = also can mean more chances somebody would find some hole and way to use it. My 2c.

That's what under-developed distro fan brings when he have no arguments ?

Please show me where Debian is any more or less secure than Mageia.

Debian auto compiles updates to third party software just like pretty every other distro out there. Including Mageia. It doesn't take a thousand people to update sudo and push it to your users.

Here. Have a read. How Mageia compares to that?
Do they have dedicated security team?
Do their security team fixes packages, where maintainers can't, like in Debian?
Do they have security audits, by separate team?
Do they maintain stable and old stable releases, with security team cherry picking and maintaining fixes from upstream?
Do Mageia coordinate work of 1000 devs and 50000 packages, so Debian works and all distros based on it are working fine?
No. Mageia can't do nothing with 3 devs working in free hours on the project. That's they difference between Debian security and Mageia.

I'm not going to waste too much time, but let's break down some of your arguments.

OK, Debian has 1000 auditors, auditing software on the system. Great. What software does Debian write that requires audit? Answer is very little. First party wise, they have a few installers and a lot of scripts.

Mostly they're auditing third party programs. 50,000 as you said. Let's look at the last 5 DSA's announced on this page:

python-aiohttp <- Third party program
nodejs <- Third party program
firefox-esr <- Third party program
screen <- Third party program
openldap <- Third party program

Anytime there is a CVE or update to third party core software, Debian package builders will update the packages src, build them, test them, and ship them out.

If the Debian security auditors find a bug, they'll fix it, and then upstream it. The upstreamer takes the patch, rolls out a new version, and then guess what happens? That's right, other Distros get the CVE or update. Their package builders update the src, build, test, and then ship it out.

The end result is whatever Debian fixes with their 1000 man security team is likely to end up in Mageia and any other distro out there.

You are correct, Mageia probably doesn't have the man power to audit third party programs at scale. But to be honest with you, they don't need to. Any security issues Debian finds with their 1000 man army, will end up fixed in Mageia and other distros as a result. (Even BSDs, Mac, Windows, etc get the benefit of these audits.)

Also by that token, you might want to dump Debian and use Red Hat. IBM has 13,500 paid employees, working full time in and around the system. Lot more man power, fixes, and even software comes out there.




FYI, Debian SELinux would be the correct answer to my question, but then you're losing a whole bunch of functionality.

Remember, Linux distros are 99.5% a collection of third party programs. Most of them GPL. So long as the third party programs are up-to-date, and built sanely, you have about as secure as you will need for a desktop machine.

Servers are another story. Mageia isn't really a server OS.

Thanks for taking your time replying me, I really appreciate it. Just one correction: Debian has 1000 active developers. Security team and audit team has undisclosed number of people working on it.

No, that's literally what I as a "normally BSD user" would do when I have older computer that can't take Win10 for a user who needs user-friendly distro. I'd put Mageia on it. Used to be Mint (because it could take official openEID packages made for Ubuntu).

And just for the record: I'm not a Megaia fanboy. In fact, I've never even used Mageia, Mandriva or Mandrake - I just base my arguments on the evidence that I can see in statistics, commits and whatnot since it's FOSS.