Should one be able to install with only release + -security enabled?

Dimitri John Ledkov dimitri.ledkov at
Thu Nov 26 17:26:46 UTC 2020

On Wed, Nov 25, 2020 at 2:59 PM Nish Aravamudan
<nish.aravamudan at> wrote:
> Hi!
> I have been testing a network-isolated Ubuntu mirror inside our network and I am trying to understand if what I envision should work or not.
> In particular, I am trying to minimize how much review is needed for package updates, so I would like to just include the release and security pockets. However, I am finding a few package updates (in Bionic in my case, but I think Focal may also have this problem) that only have fixes in the -updates pocket. This prevents installation from succeeding with preseed.
> So far, I have seen apt-setup, but debootstrap and base-installer both need some adjustment for my test environment.
> Should we require -updates as well?

Actually it's the security pocket that is optional. It is a fast track
to access SRUs that happen to also contain security fixes at the
fastest speed possible, with automatic download & upgrades by default
via a direct connection to

When a new security update is prepared, it is based on package version
in updates; security; or release pocket in that order.

Because security update is mandatory to install, and it must not
regress any fixes that already were present in either

And then the security update is published into both updates & security
pockets on & mirrors, as well as onto host. As it must supersede everything.

When mirroring, we recommend for people to mirror release & updates
pockets. And we advise people to keep
$suite-security archive config as is.

This way all machines can access security updates via a separate
endpoint directly. This insures that if the private mirror is lagging,
the critical security updates still get through to the end-users.

If you must mirror $suite-security, please ensue
it is a separate mirror too. Such that resiliency remains to access
security-updates even if the stock mirror for updates is down for



More information about the Ubuntu-devel-discuss mailing list