SRUs and the importance of validating upstream release tarballs
Robie Basak
robie.basak at ubuntu.com
Fri Oct 4 10:08:32 UTC 2024
On Fri, Oct 04, 2024 at 11:49:32AM +0200, Matthias Klose wrote:
> I don't think this is necessary when the .orig tarball already is in the
> archive for a newer release. Which extra checks do you want to perform?
I think there is still some benefit when the stable updates are arriving
very closely behind a development release orig tarball upload. For
example, if there hadn't been a time lag with xz-utils, Ubuntu would*
have noticed too late.
> Are there really cases, where you don't want the new upstream release first
> in the development release?
This is also very common in the case of upstream microreleases where the
development release is on a higher major version. For example, this week
I accepted openvpn updates to Focal, Jammy and Noble. The Focal and
Jammy orig tarballs weren't previous in the Ubuntu archive (I didn't
check Debian; I checked against upstream directly):
openvpn | 2.4.7-1ubuntu2 | focal | source
openvpn | 2.4.12-0ubuntu0.20.04.2 | focal-security | source
openvpn | 2.4.12-0ubuntu0.20.04.2 | focal-updates | source
openvpn | 2.5.5-1ubuntu3 | jammy | source
openvpn | 2.5.9-0ubuntu0.22.04.3 | jammy-security | source
openvpn | 2.5.9-0ubuntu0.22.04.3 | jammy-updates | source
openvpn | 2.5.11-0ubuntu0.22.04.1 | jammy-proposed | source
openvpn | 2.6.9-1ubuntu4 | noble | source
openvpn | 2.6.9-1ubuntu4.1 | noble-security | source
openvpn | 2.6.9-1ubuntu4.1 | noble-updates | source
openvpn | 2.6.12-0ubuntu0.24.04.1 | noble-proposed | source
openvpn | 2.6.12-1ubuntu1 | oracular | source
Robie
* In the case of xz-utils, we also didn't update stable releases for
policy reasons, but that doens't apply in the general case.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20241004/d8221bee/attachment.sig>
More information about the ubuntu-devel
mailing list