ubuntu community update policy (in particulat drupal7)

Scott Kitterman ubuntu at kitterman.com
Tue Aug 5 16:44:13 UTC 2014 

On Tuesday, August 05, 2014 16:05:01 Robie Basak wrote:
> On Tue, Aug 05, 2014 at 04:36:18PM +0200, Alias for Public Use wrote:
> > The thing is if apparently no-one is watching the package and doing
> > this, it might be safer not to offer the package in the first place.
> > That way people unaware of the possibility of security issues not 
> > being addressed for extended periods of time cannot install the
> > package. If necessary they would have to install the software
> > themselves, probably more aware of the need to watch updates closely.
> 
> This is a fundamental difference between main and universe. There may be
> a case for an exception in the case of particular packages (bitcoin is a
> recent example), but in the general case I don't think it makes sense to
> not offer the packages. Users have a choice as to what they do right
> now, and also have the choice of contributing fixes. Removing packages
> takes that choice away.

No.  The difference is that for Universe there is generally not someone with an 
@canonical.com address paying attention to them.  There are plenty of Universe 
packages that are well maintained and updated.  Some by Canonical people and 
some by others.  While there is some correlation between Main/Universe and 
package maintenance, it's not as close as you might think.

> Instead, users can always opt to not install universe packages (eg.
> remove it from sources.list). There's also an argument for not having
> universe enabled by default, but I think that a decision was made a long
> time ago before I was around on this point. I guess it could always be
> revisited, but would probably be one for the technical board to make a
> final decision on.

No.  We have one set of sources.list for all of Ubuntu right now.  Many flavors 
provide packages from Universe, so this would break things and be hard to 
implement sanely.

> If the policy should be different for particular packages, what criteria
> are you saying should be used for selecting these?

It is reasonable to consider that a particular package may have 
characteristics that make it unsuitable for packaging unless actively 
maintained (clamav fit that criteria IMO before I started actively maintaining 
it in Feisty).  Wordpress might also.  The best case scenario would be for 
someone to take an active interest in the package and keep it secure.  For 
wordpress, that probably means pushing new releases, which would take TB 
approval.

Scott K

More information about the Ubuntu-motu mailing list