I'm not as concerned about whether the packagers can be trusted - I also trust the packagers in sid, and like the fasttrack keyring is in Debian's main repo
What I'm worried about is that it seems like these bypass the testing repo, and build directly from sid (and sometimes experimental)
Generally, that has been discouraged, as the package version can get ahead of testing, and make a "frankendebian" where it isn't safe to upgrade from e.g. Debian 12 -> Debian 13, as your Debian 12 packages are newer than the Debian 13 packages
Is there something with the package versions that keeps this "safe," or will there be fasttrack packages for Debian 14 prepared prior to Debian 14, such that you can upgrade between major versions without conflicting packages (take for example fast track's Kernel and Mesa being ahead of Testing)
Edit: for another example, are these more like backports-sloppy with all the warnings about upgrading after using the repo?
At least with the vendors I'm referring to (2/3 that make all Android phones), they just took the open source code, hacked it up as quickly as possible to get some basic drivers working, and moved on.
There wasn't any "special sauce" in the source, they just didn't want to spend the effort to upstream it
Edit: Just because you said "hardware open source" I wasn't advocating for open hardware, just for hardware vendors to, ya know, support the hardware
Linux phones try to build from upstream Linux, and the major phone SoC vendors HATE upstreaming their code.
They believe every character in their source code is absolutely top secret.
A middle ground I wish was considered more is taking Google's kernel and the vendors DLKM partition/DTB/DTBO for hardware support, and putting a GNU userspace on top.
This has had problems in the past, because vendors would modify syscall tables such that they don't match userspace anymore, but with GKI, I think we're closer to that being a possibility
They aren't available on all releases - the people that found the issue didn't really follow responsible disclosure, so distros didn't have time to fix it
They will fix it over the next couple days, but if you need a fix now, those are the ways to protect yourself until security updates make it out
I'm working off the knowledge that OP is using a rolling release, so is likely fixed by that for them.
(Arch based, Cachy, and OpenSUSE Tumbleweed all have it as a module, and are the most commonly suggested. Fedora fixed it 2 weeks ago since they follow mainline, so I'd expect Bazzite to have it too. If they're using Debian Sid/Testing, it's both fixed and a module)
As long as there's a pepper in there