They're not going to put a newer version in stable. The way stable gets newer versions of things is that you get the newer version into testing and then every two years testing becomes stable and stable becomes oldstable, at which point the newer version from testing becomes the version in stable.

The thing to complain about is if the version in testing is ancient.

You don't have to use Debian stable, if you'd prefer Ubuntu every 6 months, or Fedora (6 months? 9 months?), or even Arch Linux updated daily ...

I use Arch on my laptop, when I got it 2 years ago the amd gpu was a bit new so it was prudent to get the latest kernel, mesa, everything. Since I use it daily it's not bad to update weekly and keep on top of occasional config migrations.

I use Debian stable on my home server, it's been in-place upgraded 4-ish times over 10 years. I can install weekly updates without worrying about config updates and such. I set up most stuff I wanted many years ago, and haven't really wanted new features since, though I have installed tailscale and jellyfin from their separate debian package repos so they are very current. It does the same jobs I wanted it to do 8 years ago, with super low maintenance.

But if you don't want Debian stable, that's fine. Just let others enjoy it.

For what it's worth, Debian had a security update for dnsmasq yesterday, presumably to address this.

I dunno, 2.92 seems to bring in some new features and changes that would not typically be brought into a stable release: https://thekelleys.org.uk/dnsmasq/CHANGELOG

You can always ask the Debian project for your money back.

About a decade ago I switched to Ubuntu LTS because of Debian’s “policy?” of having pretty old packages in “stable” and a long release cycles.

Nowadays, even with Ubuntu’s two year or so release cycle I have to use 3rd party packages to have up to date software (PHP being one) and not some version from three years ago.

We no longer live in a world (with few exceptions) where running a 3-5 year old distribution (still supported) makes sense.

It depends on how you look at it. I use Debian stable in the smallet possible configuration because it is, well, stable. A rock on which I put docker to run actually useful services, which are upaded the way I want.

If I was to run dnsmasq on Debian, it would be in a container. Since I run Pihole (in a container), it kinda is.

whatever you're on, stop, it's not making your brain any better

That's what stable is for though. Like, sure, stable's policy is ludicrous and you would have to be insane to run stable. But the remedy for that isn't to try to change Debian policy, it's to get people to stop running stable. Maybe once no-one uses it Debian will see sense.

What if the new release which contains the fixes has new dependencies and those also have new dependencies? I assume they have to Frankenstein packages sometimes to maintain the borders of the target app while still having major vulns patched right in stable.

    https://security-tracker.debian.org/tracker/CVE-2026-2291
    https://security-tracker.debian.org/tracker/CVE-2026-4890
    https://security-tracker.debian.org/tracker/CVE-2026-4891
    https://security-tracker.debian.org/tracker/CVE-2026-4892
    https://security-tracker.debian.org/tracker/CVE-2026-4893
    https://security-tracker.debian.org/tracker/CVE-2026-5172

> ...they have literally shipped straight-up broken packages before, because fixing it would somehow make it not "stable"

Irrelevant strawman, since you're not accusing the dnsmasq package in Debian stable of being straight-up broken.