I run debian. Slink (stable) on all the production machines, and potato (unstable) on two "testbed" ones.
I like how i can run "apt-get update; apt-get upgrade" and have the latest security updates I need automatically downloaded, installed and configured on my system.
Or, if I want to review the changes and decide for each package individually if I want to upgrade them or not, I run the "select" method in dselect first.
I can even get told within minutes of a new critical patch being posted by subscribing to the debian-announce mailing list.
There are a couple things that I really like about it:
1) The advisories sent out to the mailing list contain enough information to know what problem the updates are fixing. The changelog files in the packages (which I *can* read before installing the package, if I unpack it somewhere else) contain a list of all changes. And if this is not enough for me, I can go and get the source package, and diff it to the previous version.
2) Debian potato will contain the apt-zip package, a set of scripts that simplify the process of downloading updates to removable media (e.g. zip drives, though you could probably also write them to a CD-R if you needed or wanted to). I can apply them to as many machines as I want to by inserting the medium, mounting it and typing "dpkg -i /mountpoint/*.deb"
3) dselect, console-apt and gnome-apt as well as kpackage are applications that provide me a list (sorted by anything) of Items I have installed so I can check off the one I want to uninstall.
I think everyone agrees that individual patches would be better since it allows ultimate user control. And the way they are organized in the Debian system is really great.
