Re: If, on the other hand, you're one of us many disgruntled former CentOS users
"Have you got a list of these? Would be educational."
I did find a list some time ago but I no longer have the link. So I'll just link a few examples from memory:
- There's of course the well-known OpenSSL fiasco (2008?)
- There's the lesser well known systemd fiasco (2014), although that also affected Ubuntu.
- In 2018 a bug was found which caused a regular update to remove various packages from servers (that one was great fun for some web hostel I know)
- Also in 2018 there was another bug where pam-auth-update may empty config files and thereby deactivates all authentication (https://justi.cz/security/2019/01/22/apt-rce.html). Worth noting is that the bug was reported in Nov 1st, 2017 but the first reaction was not until almost 5 months later which for a security-related bug isn't exactly stellar.
- In 2019 a remote code execution bug in apt/apt-get was found in Debian and derivates which was especially harmful because Debian insists that insecure http is good enough for its repositories. What makes this really said is that a similar bugs were already found in 2014 and 2016, yet no efforts were made to mandate something better than http as default protocol for repositories.
This is the kind of stuff that should make toenails curl for anyone who needs to maintain a stable and secure Linux platform. Then there is other stupid stuff like this:
In 2016 they had a bug where Debian's xscreensaver was telling its users that its package is obsolete. In a typical fashion, Debian's community didn't decide to simply update that package with a newer version, no they discussed how they could patch out the warning:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819703
Here's what the developer of xscreensaver had to say about this:
https://www.jwz.org/blog/2016/04/i-would-like-debian-to-stop-shipping-xscreensaver/
As I said, Debian is a great platform if you like to fiddle with the innards of your OS or want to build your own distribution, but in an enterprise scenario it's simply sub-par. That the Debian community is often more focussed on activism than fixing Debian's many problems and often quite toxic (including death threats to main contributors) doesn't help either, also that contributions often come from people who can't even write a proper bug report.
So if you value what made classic CentOS so great then you won't find that in Debian.