Sunday, June 18, 2017

package management - Security updates for the universe repository for LTS releases?



What happens if there is a security problem in a package in the universe repository four years after the 12.04 LTS release; will the package be updated from upstream, patched, or left alone?



It's my understanding that the "5 years of support & security updates" applies only to the core of Ubuntu -- anything in Main repository. Not for things in the Universe repository.



For a more specific example -- if I install Ruby now, and want to use it for the next several years on 12.04 and it has a security vulnerability; while this might be patched in the upstream (so I could always download the latest from their website and compile it myself or use a PPA), will this upstream fix be migrated into the precise package repositories? What about backports?



Packages in Universe are community maintained. Whether or not they get security updates depends entirely on the community who uses them.




Instructions for contributing security updates for packages in Universe are here:



https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing_an_update



Basically, anybody can file a bug, attach a debdiff, subscribe the ubuntu-security-sponsors team and someone from the team will look at it to make sure it's ok, and then sponsor it to the archive.


No comments:

Post a Comment

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...