Debian Testing is for testing the upcoming new release of Debian as it develops. You may think the clue is in the name, but some people seem to regard it as a rolling release. It's not. As a Debian installation for daily use, it is in fact the least secure Debian version. Security fixes go through the normal process of migration from Unstable to Testing, which may take days, because new packages must not introduce release critical bugs, whereas the Stable release gets security updates immediately from a special security repository.
As the Debian Wiki says:
Security for testing benefits from the security efforts of the entire project for unstable. However, there is a minimum two-day migration delay, and sometimes security fixes can be held up by transitions. The Security Team helps to move along those transitions holding back important security uploads, but this is not always possible and delays may occur. Especially in the months after a new stable release, when many new versions are uploaded to unstable, security fixes for testing may lag behind. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.
The Debian Wiki recommends an active approach to security when using testing.
It is a good idea to install security updates from unstable since they take extra time to reach testing and the security team only releases updates to unstable.
For details of how to do so, see the Wiki link. This involves an Apt pinning process, not just enabling the Unstable repository, which would give you an Unstable installation, aka Sid, the notorious breaker of toys.
A security repository for Testing exists, but I have always believed it was for users of Testing who intended to stay with the next release. Say you have new hardware and find that Debian Stable does not work, but Debian Testing does. You might decide to accept or mitigate the risks by watching for and installing security updates from Unstable - (see above) and use Testing until it becomes Stable.
In which case, Debian sources list would look like this at the time of writing:
deb http://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security/ trixie-security main
"trixie" would of course be replaced by the codename of the Testing relase at any point in Time. If you are reading this years in the future, it may be different. Local mirrors for the primary repository are of course also acceptable.
I have always believed (and indeed the Debian Wiki said so) that the repository would be empty, just there so that users would have the security repository automatically when Testing became stable in case they forgot to add it after the release. For that reason, I have never added a security line to my sources.list.
However, I noticed recently (in fact it was pointed out to me by a member at the Debian User Forum) that a security line is recommended for users of Testing tracking either the current codename or Testing in their sources.list.
The Debian Wiki did not explain why, so I contacted a member of the Wiki team to ask for clarification. It seems that under exceptional, rare circumstances very serious bug fixes may indeed be added to the Testing security repository, which is why the Debian Wiki recommends it, and the answer to the question in the title of this post is "yes".
For people tracking Testing like me, source.list should look like this:
deb http://deb.debian.org/debian/ testing main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security/ testing-security main
I have edited a couple of Debian Wiki pages to reflect this new information or to make clear why the security repository is recommended for all Testing users. Many thanks to my contact at the Debian Wiki team for providing the information.
