Adam Borowski - 10.11.18, 23:19:
> On Sat, Nov 10, 2018 at 07:41:19PM +0300, Andres Suarez wrote:
> > From the security point of view: Is it worth to update from Jessie
> > to
> > ASCII? Do you see any significant advantage? I do no use any exotic
> > software.
> Yes. Upstream (Debian) Jessie is only in LTS, which, as discussed in
> a recent flamewar, is quite a misleading term compared to general
> usage. It should be probably named "extended support" or such.
>
> Jessie is no longer owned by the regular security team, and sees
> nowhere as much attention as Stretch. Packages considered
> unimportant are silently neglected and may have unfixed bugs. CVEs
> are tracked in general, but you can forget about any reasonable
> coverage of non-security fixes. Or for backports in a good shape.
>
> Consider the LTS/ES a grace period to migrate to Stretch/ASCII rather
> than something recommended for use.

On Debian machines I usually use both debian-security-support and
debsecan packages:

debian-security-support has a command check-support-status, that
displays packages with limited support. It won't, as far as I guess, not
show the limitations of LTS/ES support tough.

debsecan send mails which CVEs are unfixed in current set of packages.

I did not test any of these on my Devuan server VMs so far.

I usually combine this with both apt-listbugs and apt-listchanges :).
And needrestart.

Thanks,
--
Martin