There’s a story that hit
Slashdot today about Debian (see bug
#433869 not using the
security.debian.org system to send out an update to the timezone data for a
change in New Zealand daylight savings time.
The update in question is not a security fix, however having the correct time on a system is
very important for security. Without the correct local time across all of your different
systems (and thus having the correct timestamp on log messages) you will not be able to
collate messages between different systems (e.g. routers, firewalls, other unix/linux
systems) during an incident. This has already been released by Microsoft, Red Hat
and, I expect, other vendors.
To me this seems just to be another reason that an commercial company should not run Debian
GNU/Linux as you’re at the whims of a bunch of volunteers who are unlikely to understand the
security concerns of your business (e.g. PCI/DSS or Sarbanes-Oxley). However it’s still a
good OS if you’re running a personal system or if you can have a team of Debian sysadmins
/developers at your call to backport important package changes.