ryrona
Believe me, there are a lot of users and downstream projects that are auditing Debian.
Not nearly as much as you're implying and it doesn't work as well as you're implying either.
If the "anyone can submit packages to Debian" approach constituted a significant risk, we would have seen that by now.
It's a huge risk and severe vulnerabilities are regularly introduced by Debian packages. It often doesn't get much attention after it happens. We have some past posts about several cases of this happening. Updates are also often delayed far more than just based on freezing packages indefinitely. AOSP has issues with freezing packages too, but Debian is much worse at this than AOSP and Debian is what's being portrayed as doing better than it is here and elsewhere.
The biggest problem with Debian isn't in and of itself this, but that no noticeable security or privacy improvements have been implemented at all since like 2011. Debian has increasingly become obsolete as a project, and unsuitable to build security and privacy focused projects on. While Fedora for example has many running projects to improve security and privacy, projects that are delivering.
Fedora doesn't have modern exploit protections, widespread use of memory safe languages, etc. It's not enabling many standard Linux kernel exploit protections. They still haven't deployed stuff like CFI and are nowhere close to doing basic allocator hardening or advanced features like MTE. There's very little use of sandboxing and SELinux MAC policies are very basic and barely used to do anything, especially for a desktop. Debian is much worse but privacy and security are very stagnant for that ecosystem as a whole.
My point was that in AOSP all security vulnerabilities are disclosed 3-4 months before fixes are allowed to be published.
No, they're allowed to be published right away which we're doing. The source code released is delayed due to a misguided idea that it helps attackers more than it actually does. That being very misguided doesn't mean it is actually forced to be delayed for 3 months. Also, based on what we've seen so far, it's 3 months for most patches and then a steady stream of additions up to 1 month ahead so it's 1-3 months but mostly 3. There's also the time period before they fix and disclose them this way, so that can add 1 or more months on top of the widely disclosed patches to OEMs which are allowed to be shipped early now. The old approach was 1 month early access without being allowed to ship early, now it's mostly 3 months (but to a lesser extent 1-2 months for a smaller portion) but with OEMs allowed to ship as soon as they want. In practice, most OEMs aren't taking advantage of it, but we've noticed Samsung has been doing it throughout this year with a small portion of the patches which will likely grow. Pixel stock OS appears to be doing the same, but not listing the CVEs they fix early despite it being implied in their docs that it must be done. They definitely shipped at least 1 December 2025 patch in the Pixel October monthly update.
I have seen Debian having fixes out for high and critical severity vulnerabilities within 3 days of a vulnerability being discovered on many occasions.
They typically go years without shipping important patches unless a CVE is assigned, which it often isn't. If a CVE assigned, it might be shipped quickly but often isn't. They're also notorious for introducing downstream security vulnerabilities, far beyond the most well known examples like the Debian weak key issue.
I just wanted to say your statement is a bit unfair. I am not saying Debian has a good track record at all of getting fixes out, I very much know they don't. But AOSP is also terrible in this regard, and you know it.
GrapheneOS is not AOSP or the stock Pixel OS.