Yes, I took a lazy shortcut not looking at AOSP update_engine source code and assumed AOSiP wouldn’t be much different. Yes interesting to see the connection of Chromium OS with update_engine.
How few are a few?
Also requires a solution for Selecting Secure Packages from packages.debian.org - i.e. objective, doable criteria for judging secure vs non-secure.
How’s that possible?
Use newer software from upstream as they release and package? Well, that’s not going to fly well due to dependency issues. New versions don’t work with Debian stable. Would be similar to mixing Debian testing with Debian stable which doesn’t work great.
- One could also argue in theory (but not in practice) Debian testing is more secure than Debian stable since Debian testing sticks closer to upstream releases. (That however doesn’t hold true during periods of Debian freeze.)
- One could also argue in theory (but again not in practice) that Debian sid is more secure than Debian stable since Debian sid sticks closer to upstream releases. (Ignoring that sid is unstable indeed.)
- Debian rolling was an idea but it didn’t materialize.
A rolling distribution - not “really” rolling but mostly rolling at long periods distribution - Debian testing - was unsuitable as base for Whonix, see Why is Whonix ™ based on Debian Stable, not Debian Testing?
Therefore I don’t think this is feasible with the current project resources.