Zill wrote:Debian Stable does automatically receive security updates, whereas Debian Testing does not.
I think this can't be deducted from the official Debian statement. Nothing happens automatically, it all depends on the persons involved.
What can we deduct?
"the Security Team backports the patch to stable": This means that someone (usually a programmer upstream, which could accidentally be the package maintainer as well) has provided a patch.
For stable this patch is then applied/backported by the Security Team (persons using computers, not computers all by themselves) and the stable repository has an updated package for the end-user. That much can be deducted for sure.
But why did the programmer provide a patch in the first place? Because he has realised that a program he cares or feels responsible for is flawed and wants to fix it. So there is a certain likelihood that the programmer or the package maintainer will make sure that the issue is fixed in unstable as well. If it is a big package involving lots of people and lots of changes pending it might be delayed to get everything done in one new version. The way this works depends on who has provided the patch and on the way the programmer and package maintainer tick and interact.
Which one is quicker, stable or unstable? The answer is already given: "Sometimes the changes happen at nearly the same time and sometimes one of the releases gets the security fix before."
Testing will always get it later than unstable and more often than not later than stable as well. That's for sure from experience.
Of course stable is stable and secure, that's the aim of the release
But why now complain about the lag between stable and testing (when in most cases of security issues time between unstable and testing seems to be between a day and a week)? LMDE users have lived with completely outdated and unfixed packages for the past years. We had to download packages from testing-repo to fix issues which got fixed in LMDE-repos days, weeks or even an UP later.