ubuntu community update policy (in particulat drupal7)
Robie Basak
robie.basak at ubuntu.com
Mon Aug 4 09:58:53 UTC 2014
On Sun, Aug 03, 2014 at 09:38:51PM +0200, Alias for Public Use wrote:
> I wonder about the update policies for universe packages.
>
> In particular I have noticed the drupal 7 package in the community
> repository is at verion 7.26, wheras the current version is 7.30.
The version in Trusty is 7.26-1. The version in the current development
release (Utopic) is 7.30-1.
The version in an existing release is not updated except for security or
high impact bug fixes. https://wiki.ubuntu.com/StableReleaseUpdates has
rationale and criteria.
[...]
> Is there some kind of mechanism to issue resyncs/create an updated
> package?
Yes. If someone prepares a debdiff, or if a fix is just a straight sync
from Debian, the Ubuntu Security Team will be happy to review and
sponsor it.
https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors
has the procedure.
> Escpecially for packages which have potentially large security issues
> and which have their own update mechanisms and which can be installed
> into a working ubuntu server with minimal invasiveness...
Using upstreams' own update mechanisms has in general never been
acceptable for distributions. It worries me when I see that, for
example, the "normal" way to upgrade Wordpress is from its own web UI.
Surely the ability to be able to modify itself remotely through itself
(in terms of a remote sysadmin, as opposed to a remote upstream that is
verified cryptographically) is a security issue in itself?
> ...I believe there should be an update schedule or the package should
> not be available at all.
What do you mean by "an update schedule"? Are you asking that that
somebody apply, test and upload regular security updates? If so, then
who are you suggesting should do this? Or are you just asking what the
mechanism is to provide security updates?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-motu/attachments/20140804/a44bc79c/attachment.pgp>
More information about the Ubuntu-motu
mailing list