Source packages appropriate by default?

Daniel J Blueman daniel at quora.org
Wed Jul 24 04:31:01 UTC 2013


On 24 July 2013 11:08, Scott Kitterman <ubuntu at kitterman.com> wrote:
> On Wednesday, July 24, 2013 11:00:40 AM Daniel J Blueman wrote:
>> Perhaps we have two issues here:
> ....
>> The 20% additional download due to sources [1] would help both issues,
>> but perhaps of bigger impact, trusting the country-level mirror for
>> the security updates?
> ...
> You aren't.  Security updates are pushed first to security.ubuntu.com and then
> copied to archive.ubuntu.com and mirrored from there.  The security pocket
> isn't mirrored so you always hit it directly and if a country mirror lags, you
> get the package from security.ubuntu.com.  Also, the signing key is the same
> Ubuntu archive signing key whether you're getting a package form
> archive.ubuntu.com or a country mirror, so you aren't trusting the country
> mirror cryptographically either.

What I meant, if the country-level archive is sync'd every 12-24
hours, would it be sufficient to download the security pocket from
<cc>.archive.ubuntu.com? It is mirrored, so this would alleviate the
second issue.

Daniel



More information about the ubuntu-devel mailing list