That's really helpful, thanks.Raspberry Pi OS uses packages from two of three sources depending on the architecture used.
32-bit Pi OS (armhf) uses packages from the Raspbian^ repository and the Raspberry Pi repository. The majority of the packages come from Raspbian.
64-bit Pi OS (arm64) uses packages from the Debian repository and the Raspberry Pi repository. The majority of the packages come from Debian.
Raspbian packages are built using the Debian sources and track Debian security, so all updates will be included. There may be a few days delay while packages are built.
(There are a few packages that have Pi specific modifications).
Obviously you don't have to worry about the Debian packages as they will be automatically built by Debian.
Raspberry Pi packages come into two categories:
1) Packages created by Raspberry Pi Ltd. Any bugs/security issues on these will be fixed by the Raspberry Pi team as quickly as needed.
2) Debian (and other) packages customised by Raspberry Pi Ltd. These are usually pretty up to date and bug/security fixes are mostly applied by the team in good time. There may be a bit more work involved than just applying the Debian patches.
* It is possibly to use the Debian repositories for 32-bit Raspberry Pi OS when running on any Pi that doesn't use the BCM2835 chip (as used on the Pi (1)A, (1)B, Zero, and CM1).
I'm using 32-bit Pi OS, targeting a Pi Zero - so using Raspbian & Raspberry Pi repositories.
So the majority of packages come from Raspbian repo, and these track Debian Security - is it safe to assume they will be built exactly as per Debian packages (architecture aside), apart from the few that have Pi specific mods (which might be solely architecture related)?
As for the Raspberry Pi packages, I wouldn't imagine those created by Raspberry Pi Ltd are likely to have CVEs associated with them... I may be wrong there but...?!
Those packages in this repo that are Debian-based but customised - I'd assume those too would be built as much as possible as per Debian packages, except for the customisations needed?
Thanks again,
Richard.
Statistics: Posted by riph72-lumi — Mon May 12, 2025 8:27 am