Hi, some time ago I was reading this:
Being based on Debian is a good choice, but people often ask, “Why is PureOS based on the testing suite of Debian in particular?” The answer is simple: it is a middle ground for development, stability, and freshness of packages; nice for everyday usage while still giving freedom to explore fresh new things.
Source: https://puri.sm/posts/what-is-pureos-and-how-is-it-built/
I was happy because that is much modern approach now where software is released continuously in smaller chunks of features.
However this clearly does not work in practice, software in PureOS is still outdated:
Regular software updates are one thing but then there are security updates. How can it happen that security and privacy oriented PureOS does not merge Firefox ESR security updates (from Debian security) for many months repeatedly?
As for the regular package updates and security by design, maybe it is time to replace Debian with some OS with modern approach:
Reproducible builds and deployments.
Nix is a tool that takes a unique approach to package management and system configuration. Learn how to make reproducible, declarative and reliable systems.
https://nixos.org/
The Clear Linux project provides a stateless system. It can operate without any custom configuration, for example, a generic host with an empty /etc directory. Stateless systems strictly separate the OS configuration, the per-system configuration, and the VT user-data stored on that system. This separation simplifies maintenance and deployment. In other words, you can configure the host to perform a specific function.
https://clearlinux.org/features/stateless
As for the security package updates, what is the process in PureOS? How they merge, how fast?