Eventually, I am thinking of migrating to debian. Debian seems to have a nice record with security updates. I am sure it will require some retraining, but that probably worth the peace of mind.
One thing to consider with Debian is that their security team only focuses on the stable release. If you're bringing anything in from debian-testing (newer Sendmail or Apache, newer hardware drivers, etc.) you may have to wait longer for security fixes. Of course, if you're just installing a few key services from outside of debian-stable, chances are you're more likely to be installing from source instead of apt, so you'll have the ability to patch it yourself anyway.
Also, in my experience, except with the really major flaws (like the OpenSSH exploit back in September), Debian has a tendency to be slow. I follow the announcement lists for Red Hat, Mandrake, SuSE, Debian, and now Fedora, and Red Hat often has a fix out a week ahead of any of the others. Of course, since RH themselves aren't focusing on Fedora updates, it remains to be seen where Fedora will end up on the speed-of-fixes spectrum.
Kelson Vibber
SpeedGate Communications <www.speed.net>
