Security on TUXEDO OS: How we secure Debian Testing - TUXEDO Computers

  • Notebooks
    • Notebooks/Laptops with preinstalled and configured Linux and more. TUXEDO Computers are individually built computers and PCs being fully Linux-suitable, custom tailored Linux hardware so to say. We deliver all TUXEDOs ready to go so you only ha...
    • 10-14 inch
    • 15-16 inch
    • 17 inch
    • Immediate shipping
    • Business notebooks
    • Gaming-Notebooks
    • Mobility notebooks
    • Deep Learning AI
    • All Notebooks
  • Computers / PCs
    • Computers / PCs with Linux preinstalled & more TUXEDO Computers are individually built computers and PCs being fully Linux-suitable, custom tailored Linux hardware so to say :) We deliver all TUXEDOs ready to go so you only have to unwrap,...
    • Mini Systems
    • Midi Systems
    • Maxi Systems
    • AMD Systems
    • Intel Systems
    • All Systems
  • Accessories
    • Here you will find accessories, components and peripherals for your TUXEDO system. Nothing suitable found here? Get in touch with us directly!
    • Batteries
    • Displays
    • Dockingstations
    • Books
    • Input Devices & Peripherals
    • Bags & Sleeves
    • Notebook Power Supplies & Cords
    • Components & Complements
      • Cables
      • Drives
      • Hard Disk Drives 2.5"
      • PC Power Supplies
      • SSDs 2.5"
      • SSDs m.2 (SATAIII and NVMe)
      • WiFi, LAN & Mobile Network
      • Licenses
  • B2B
    • In this category you can find equipment for your company, office, school, university or educational institution and servers and solutions. Appliances with CRM, ERP and merchandise management, cloud storage, cloud server for self-hosting, services...
    • Business notebooks
    • Business computers
  • Novelties
  •  
    • Notebooks
      • 10-14 inch
      • 15-16 inch
      • 17 inch
      • Immediate shipping
      • Business notebooks
      • Gaming-Notebooks
      • Mobility notebooks
      • Deep Learning AI
      • All Notebooks
    • Computers / PCs
      • Mini Systems
      • Midi Systems
      • Maxi Systems
      • AMD Systems
      • Intel Systems
      • All Systems
    • Accessories
      • Batteries
      • Displays
      • Dockingstations
      • Books
      • Input Devices & Peripherals
      • Bags & Sleeves
      • Notebook Power Supplies & Cords
      • Components & Complements
        • Cables
        • Drives
        • Hard Disk Drives 2.5"
        • PC Power Supplies
        • SSDs 2.5"
        • SSDs m.2 (SATAIII and NVMe)
        • WiFi, LAN & Mobile Network
        • Licenses
    • B2B
      • Business notebooks
      • Business computers
    • Novelties
  • Settings

  • Deutsch
  • English

  • Customer Account

  • Log in
  ATTENTION: To use our store you have to activate JavaScript and deactivate script blockers!  
Thank you for your understanding!

Security on TUXEDO OS: How we secure Debian Testing

2026-07-14 18:00:00

When we announced that future versions of TUXEDO OS would be based on Debian Testing instead of Ubuntu LTS and the response was overwhelmingly positive. At the same time, one important question kept coming up: How do we ensure that security updates reach our users quickly, given that Debian Testing does not have a dedicated security channel like Debian Stable or Debian Unstable?

The way Debian Testing receives security updates differs fundamentally from Debian Stable. For that reason, we have developed our own mechanisms from the very beginning to deliver security fixes independently of Debian’s regular migration process. While our first article focused on the new system architecture and the reasons behind our move away from Ubuntu, today we would like to explain our security strategy and the processes behind it.

How packages reach Debian Testing

Debian Testing is continuously built from packages migrating out of Debian Unstable (Sid). This model provides a modern yet thoroughly tested software stack. However, it also means that security fixes do not automatically become available in Testing immediately. Depending on the circumstances, there may be a delay of anywhere between two and fourteen days before a patched package reaches Debian Testing.

For a package to migrate from Unstable to Testing, it must first pass a minimum waiting period without introducing release-critical bugs. In addition, successful builds must be available for all supported architectures, and all package dependencies must be satisfied without introducing conflicts. For a desktop operating system that users rely on every day, simply waiting for Debian’s automated migration process is therefore not sufficient.

Taking action instead of waiting

This is exactly where the new TUXEDO OS differs from an unmodified Debian installation.

We operate our own package repositories that mirror the underlying Debian base. As a result, we are not limited to waiting for packages to migrate naturally from Debian Unstable into Testing.

Whenever a critical security vulnerability remains unpatched in Debian Testing longer than we consider acceptable, we take action ourselves. Depending on the situation, we either import already-patched packages directly from Debian Unstable or create our own backports, which are then distributed through our repositories. This allows our users to receive security fixes before they become available through Debian Testing itself, giving us the flexibility to respond quickly whenever critical security issues arise.

Continuous CVE monitoring

This approach is backed by a continuous vulnerability monitoring system that is currently being rolled out. We automatically analyze the Debian Security Tracker together with other public CVE databases. Whenever new vulnerabilities are disclosed, we compare their status against the package versions available in Debian Testing. Any security-relevant discrepancies immediately feed into our package prioritization process.

This enables us to identify exactly which packages require attention instead of waiting for Debian’s standard workflow. As both a hardware manufacturer and a Linux distributor, we also benefit from close relationships with upstream developers and various security communities. Where embargoed information is unavailable, our automated monitoring ensures that we can react as soon as a vulnerability becomes public. Silent patches—security fixes that are integrated without major announcements—also contribute to improving overall system security.

Info: A silent patch is a security or bug fix that is integrated into software without a major public announcement. Such fixes are often distributed as part of regular updates to address vulnerabilities quickly without drawing unnecessary attention to the underlying issue.

Fast response times are the goal

For severe vulnerabilities—such as a critical flaw in sudo or other core system components—our accelerated QA process comes into effect. Our objective is to provide fully tested security updates within a matter of hours after a reliable upstream patch becomes available whenever possible.

The new architecture gives us a significant advantage here. Under Ubuntu LTS, we often depended on Canonical’s packaging schedule. With Debian as our foundation, we have considerably more control over the entire update process. When necessary, we can package and distribute security fixes ourselves rather than waiting for external releases.

The TUXEDO OS security pipeline closes the gap of unmodified Debian Testing by actively testing, backporting, and releasing critical vulnerability fixes directly to users.
The TUXEDO OS security pipeline closes the gap of unmodified Debian Testing by actively testing, backporting, and releasing critical vulnerability fixes directly to users.

A new kernel strategy

As part of the migration to Debian Testing, TUXEDO OS will ship its own kernel packages, built directly on Debian’s kernel packaging infrastructure: linux-tuxedo as the primary kernel and linux-tuxedo-lts as a fallback option following an appropriate upstream long-term support kernel.

Our own modifications remain deliberately minimal, fully documented, and designed to be upstream-friendly wherever possible. We will explain the new kernel strategy in greater detail in a dedicated blog post.

Security has always been a high priority for TUXEDO OS, even during the Ubuntu era. This was demonstrated by our rapid response to the serious Copy Fail and Dirty Frag vulnerabilities. In both cases, the normal embargo process had been bypassed, leaving the community with little warning. TUXEDO responded to Copy Fail on the very same day by providing the tuxedo-fix-copy-fail package while work on a kernel update was already underway. For Dirty Frag, we released linux v6.17.0–118023.2324.04.1tux1, eliminating the Dirty Frag vulnerability while simultaneously providing a permanent fix for Copy Fail, replacing the temporary package.

Had we already been using the Debian Unstable kernel base that will underpin future TUXEDO OS releases, neither of these vulnerabilities would have affected our users in the first place.

Btrfs and Snapper provide an additional safety net

Rapid security updates should never come at the expense of reliability. That is why our proactive vulnerability management is complemented by TUXEDO OS’s built-in rollback capabilities. Btrfs and Snapper provide an additional layer of protection by allowing the entire system to be restored to a previously working snapshot at any time. This enables us to react quickly without unnecessarily risking the stability of production systems.

This also benefits new Linux users, many of whom hesitate to install updates out of concern that they might break their system. Knowing that a problematic update can easily be rolled back encourages users to keep their systems up to date, ultimately improving overall security.

Special considerations before a Debian release

The period leading up to a new Debian Stable release presents unique challenges for any operating system based on Debian Testing. During this phase, package migrations slow down significantly as Debian enters its release freeze.

To address this, we increase the frequency of our manual package reviews during these periods. Important security fixes that remain blocked in Testing can be distributed through our own repositories, allowing us to bypass migration bottlenecks introduced by the release freeze whenever necessary.

A reduced attack surface

Another important aspect is often overlooked. The components that account for the majority of a desktop system’s attack surface are not sourced directly from Debian Testing in TUXEDO OS. Web browsers, the Linux kernel, the graphics stack—including NVIDIA drivers—and other key system components are maintained independently and updated continuously, just as they are today.

While Debian Testing still contributes a large number of packages, these are predominantly libraries and utilities that require direct security intervention far less frequently.

An attractive solution for businesses

This security strategy benefits more than just home users. Business customers gain access to tailored update cycles through our infrastructure while benefiting from continuous package maintenance, rapid responses to security incidents, and the additional protection provided by filesystem snapshots.

As a result, TUXEDO OS combines up-to-date software with a security strategy that goes well beyond what a standard Debian Testing installation can offer. We will present the measures we are implementing specifically for our business customers in a separate blog post in the near future.

Service & Support

Welcome to TUXEDO Support - how can we help you?

Linux at TUXEDO

Are you wondering if Linux is right for you? Our team will be happy to answer your questions and explain details about the free operating system at TUXEDO.
Let the advantages and services convince you!

Hardware

Notebook, PC, both - and which model? Our technical service team also provides advice on selection, equipment and puts together suitable offers for your technical requirements.

Questions and Answers

Frequently asked questions and the corresponding answers can be found here. If you cannot find a solution to your problem here, it is also worth taking a look at the instructions section.


Find out more

Instructions and Tips

Most situations can be solved quickly and easily by yourself. This saves you time and you can use your device directly again. We provide you with instructions, first steps and short tips for all TUXEDO models.


Find out more

System Recovery

Even in the case of a case, you don't have to rely on us: Your device can be reset to the factory settings - completely automatically! Everything is included with your order and you can get started right away.


Find out more

Technical Service

Our competent technicians are also happy to help with service requests. You have different possibilities to contact us. We are personally there for you Monday to Friday from 9 am to 1 pm and from 2 pm to 5 pm. But also outside these times, you can contact our team with your request by e-mail.
An extra function is available in your customer account for repair requests (RMA).

 

Contact

We are personally there for you Monday to Friday from 9 am to 1 pm and from 2 pm to 5 pm (German time). But also outside these times, you can contact our team with your request by e-mail. You will receive confirmation of receipt within approximately 15 minutes. If not, please feel free to contact us by phone. Please include your order number, the model name of your laptop or PC and as detailed a description of your request as possible. The more details you give us, the faster we can process your request!

We might not be able to answer questions about third party hardware or software. For questions about popular open source software (Thunderbird, Filezilla...) please contact a forum e.g. ubuntuforums.org. The research effort for application specific setup is immense and not manageable at the current time. Basic compatibility questions e.g. are of course still welcome!

An extra function is available in your customer account for repair requests (RMA).

 

Image of Tux

Linux compatible
image of 5 years warranty badge

Up to 5 Years Warranty
stylized image of a Rocket

Immediately ready for use
image of germany with a wrench in the center

Assembled in Germany
image of germany with a section sign in the center

German Data Privacy
stylized image of a tech support worker

German Tech Support

Guidance

  • Service & Support
  • B2B


Mo - Fr: 9-13 & 14-17h
+49 (0) 821 / 8998 2992

Perform Revocation

About TUXEDO

  • Why TUXEDO
  • TUXEDO Control Center
  • TUXEDO Tomte
  • TUXEDO WebFAI
  • TUXEDO OS
  • TUXEDO Aquaris
  • Individual logos and keyboards

Help & Support

  • Downloads & Drivers
  • System Diagnostics
  • Frequent questions (FAQ)
  • Instructions
  • Help with my device
  • Revocation right
  • Shipping costs & delivery times
  • Payment methods

News & more

  • News & Blog
  • Press
  • Newsletter
  • Event Calendar
  • Jobs & Career
  • Sponsoring

Community


Your Linux specialist since 2004

  • Accessibility
  • Public Keys
  • Privacy policy
  • Imprint
  • Battery disposal
  • Conditions of Use

Shipping costs & delivery times

We ship your order to almost all countries, in Europe mostly even free of charge! The respective shipping costs and the cost threshold above which we will cover the costs for you can be found here or for international shipping in the table below.

 


Free shipping within Germany

There are no shipping costs within Germany for goods worth €100 or more.

 

7.99 € shipping cost at max!

No matter how many small articles you order, such as USB stick card reader, LAN adapters or fan articles, with us, you pay a maximum of 7.99 € shipping costs.

  • 7.99 € shipping fee for all orders below 100 € of goods
  • Free shipping from 100 € total value of goods

You can check all occurring shipping costs or if we even deliver for free right before sending your order!

 


International delivery

Here are the shipping costs as well as the amount threshold for your order. The threshold is referring to the total amount of your order, which enables free shipping.
 

Taxes and customs outside the EU:

For orders outside the EU there might be additional duties, taxes or charges needed to be paid by the customer. These don't have to be paid to the supplier, but to local authorities. Please check for any details with your local customs or tax authorities before ordering! But as a benefit you don't have to pay German taxes, this means you save up to 19%!
Due to the Brexit and the associated changes, there may be delays of several days in customs clearance on site for deliveries to the UK. This is not within our sphere of influence.

The processing of orders outside the EU may currently be subject to significant delays due to the respective customs authorities. Unfortunately, we have no influence over this and therefore ask you to check your shipment tracking daily. If the status of your shipment does not change for more than a week, please contact our customer service.

Thank you for your understanding!

 

 
⚠️   Countries to which we unfortunately cannot ship, and information on how you can still order from us, can be found here!
Country Shipping Fee Free Shipping From
Albania 99,00 EUR -
Andorra 59,00 EUR -
Belarus
(Temporarily no delivery possible)
59,00 EUR -
Belgium 8,49 EUR 100 EUR
Bulgaria 15,99 EUR 160 EUR
Denmark 8,49 EUR 100 EUR
Estonia 15,99 EUR 160 EUR
Faroe Islands 129,00 EUR -
Finland 14,99 EUR 150 EUR
France
(Overseas France excluded)
9,99 EUR 120 EUR
Greece 22,90 EUR -
United Kingdom
(Overseas Territories excluded)
9,99 EUR 120 EUR
Hong Kong 199,00 EUR -
India 199,00 EUR -
Ireland 14,99 EUR 150 EUR
Island 129,00 EUR -
Italy 9,99 EUR 120 EUR
Japan 99,00 EUR -
Canada 99,00 EUR -
Croatia 34,90 EUR 500 EUR
Latvia 15,99 EUR 160 EUR
Lithuania 15,99 EUR 160 EUR
Luxembourg 8,49 EUR 100 EUR
Macau 199,00 EUR -
Malta 34,90 EUR 500 EUR
Macedonia 59,00 EUR -
Moldova 199,00 EUR -
Monaco 19,00 EUR -
Montenegro 99,00 EUR -
Netherlands
(Dutch Carribean excluded)
8,49 EUR 100 EUR
Norway 14,99 EUR 150 EUR
Austria 8,49 EUR 100 EUR
Poland 15,99 EUR 160 EUR
Portugal 14,99 EUR 150 EUR
Romania 15,99 EUR 160 EUR
San Marino 9,99 EUR 120 EUR
Sweden 14,99 EUR 150 EUR
Switzerland 13,99 EUR 150 EUR
Serbia 34,90 EUR 500 EUR
Singapore 199,00 EUR -
Slovakia 15,99 EUR 160 EUR
Slovenia 15,99 EUR 160 EUR
Spain
(Canary Islands excluded)
14,99 EUR 150 EUR
Czech Republic 15,99 EUR 160 EUR
Ukraine
(Temporarily no delivery possible)
129,00 EUR -
Hungary 15,99 EUR 160 EUR
USA
(including Hawaii)
99,00 EUR -
United Arabic Emirates 199,00 EUR -
Cyprus 34,90 EUR 500 EUR
Qatar 199,00 EUR -
⚠️ Countries to which we unfortunately cannot ship, and information on how you can still order from us, can be found here!

 


Time of delivery

If not stated differently in the article's description, we deliver goods in:

  • 7-10 working days within Germany
  • 10-12 working days outside Germany

For orders paid in advance, the delivery time starts with receipt of the payment. Please keep in mind that there is no delivery on Sundays or on holidays.
For goods delivered as download, there will be no shipping fees due.
Access data for downloads are sent out via e-mail 1-3 working days after contract formation. For orders with advanced payment, we will deliver after receiving the payment. You can download the item by using the link sent to you via e-mail.

Self-pick-up of orders is not possible, unfortunately.