As an almost daily Tails user that closely follows its development and knows one of its developers, my impression is that the Tails team is seriously understaffed, which I believe explains all your concerns. There are only two persons that more or less regularly write code and prepare releases.
> hasn't updated the release since March so a dozen known Debian security advisories are not patched
It could be that none of the current vulnerabilities seriously affect Tails' stated use cases. Do they? We know that Heartbleed does not affect Tails. Only CVE-2014-2653 looks remotely relevant to me but I'm no expert. An out-of-schedule Tails release would steal a lot of development time which instead could be used to improve Tails permanently so they are not done unnecessarily.
> it took them years to even add a macchanger on boot for wireless
Judging by their design document it seems like a pretty big undertaking to do properly without causing a huge user support mess and giving a false sense of security. I for one understand if they chose to deprioritize it for some years in favor of other lower hanging fruit of similar importance. Personally I used to run macchanger manually when needed as the tool itself has been included in Tails for as long as I have been using it (four years).
> Oops, the strange decisions at Tails saves the day.
Since Debian Squeeze still receives security updates this does not seem very strange at all. I believe the "decision" is another consequence of their lack of man power. While slightly annoying at times I can live with out-dated packages that lack features I would like to have as long as they receive security upgrades.
> I still don't understand their reluctance to patch grsecurity and/or pax.
The Tails team has explicitly stated that they do not have the human resources available to afford maintaining all that themselves. Hopefully the Debian kernel team will get their shit together and provide a hardened kernel flavor some time soon.
> [...] the vast public is stuck with Tails which keeps ballooning in size. They need a light version without tons of codecs and video editing software, collaborative editors or full office suites.
One danger with a lightweight Tails distribution is that users are forced to mix data and activities with their normal, insecure OS, which potentially can hurt their anonymity and leave a data trail, thus countering Tails' two main points. Another danger is that the users get tired of Tails' inability to do basic, expected activities and stop using it completely, switching back to their normal, insecure OS for activities that they really should use Tails for.
That said, I do agree that fringe use cases like video editing should be removed since Tails' size is becoming a real concern. The "additional software" feature available when running Tails from a USB drive should be promoted more actively for such edge cases. Shipping less packages in Tails should also decrease the Tails team's maintenance burden so this actually looks like something worthwhile issuing a feature request for.
> hasn't updated the release since March so a dozen known Debian security advisories are not patched
It could be that none of the current vulnerabilities seriously affect Tails' stated use cases. Do they? We know that Heartbleed does not affect Tails. Only CVE-2014-2653 looks remotely relevant to me but I'm no expert. An out-of-schedule Tails release would steal a lot of development time which instead could be used to improve Tails permanently so they are not done unnecessarily.
> it took them years to even add a macchanger on boot for wireless
Judging by their design document it seems like a pretty big undertaking to do properly without causing a huge user support mess and giving a false sense of security. I for one understand if they chose to deprioritize it for some years in favor of other lower hanging fruit of similar importance. Personally I used to run macchanger manually when needed as the tool itself has been included in Tails for as long as I have been using it (four years).
> Oops, the strange decisions at Tails saves the day.
Since Debian Squeeze still receives security updates this does not seem very strange at all. I believe the "decision" is another consequence of their lack of man power. While slightly annoying at times I can live with out-dated packages that lack features I would like to have as long as they receive security upgrades.
> I still don't understand their reluctance to patch grsecurity and/or pax.
The Tails team has explicitly stated that they do not have the human resources available to afford maintaining all that themselves. Hopefully the Debian kernel team will get their shit together and provide a hardened kernel flavor some time soon.
> [...] the vast public is stuck with Tails which keeps ballooning in size. They need a light version without tons of codecs and video editing software, collaborative editors or full office suites.
One danger with a lightweight Tails distribution is that users are forced to mix data and activities with their normal, insecure OS, which potentially can hurt their anonymity and leave a data trail, thus countering Tails' two main points. Another danger is that the users get tired of Tails' inability to do basic, expected activities and stop using it completely, switching back to their normal, insecure OS for activities that they really should use Tails for.
That said, I do agree that fringe use cases like video editing should be removed since Tails' size is becoming a real concern. The "additional software" feature available when running Tails from a USB drive should be promoted more actively for such edge cases. Shipping less packages in Tails should also decrease the Tails team's maintenance burden so this actually looks like something worthwhile issuing a feature request for.