Should one be able to install with only release + -security enabled?
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Thu Nov 26 17:26:46 UTC 2020
On Wed, Nov 25, 2020 at 2:59 PM Nish Aravamudan
<nish.aravamudan at gmail.com> wrote:
> I have been testing a network-isolated Ubuntu mirror inside our network and I am trying to understand if what I envision should work or not.
> In particular, I am trying to minimize how much review is needed for package updates, so I would like to just include the release and security pockets. However, I am finding a few package updates (in Bionic in my case, but I think Focal may also have this problem) that only have fixes in the -updates pocket. This prevents installation from succeeding with preseed.
> So far, I have seen apt-setup, but debootstrap and base-installer both need some adjustment for my test environment.
> Should we require -updates as well?
Actually it's the security pocket that is optional. It is a fast track
to access SRUs that happen to also contain security fixes at the
fastest speed possible, with automatic download & upgrades by default
via a direct connection to security.ubuntu.com.
When a new security update is prepared, it is based on package version
in updates; security; or release pocket in that order.
Because security update is mandatory to install, and it must not
regress any fixes that already were present in either
And then the security update is published into both updates & security
pockets on archive.ubuntu.com & mirrors, as well as onto
security.ubuntu.com host. As it must supersede everything.
When mirroring, we recommend for people to mirror release & updates
pockets. And we advise people to keep security.ubuntu.com
$suite-security archive config as is.
This way all machines can access security updates via a separate
endpoint directly. This insures that if the private mirror is lagging,
the critical security updates still get through to the end-users.
If you must mirror security.ubuntu.com $suite-security, please ensue
it is a separate mirror too. Such that resiliency remains to access
security-updates even if the stock mirror for updates is down for
More information about the Ubuntu-devel-discuss