UPDATE: Announcement from www.kubuntu.de

Colin Watson cjwatson at ubuntu.com
Wed Apr 12 04:47:24 UTC 2006


On Tue, Apr 11, 2006 at 01:19:43PM -0400, John Ruschmeyer wrote:
> Karl Goetz wrote:
> >no, he said that the updates gained from archive.ubuntu.com in
> >(K?)ubuntu-updates and (K?)ubuntu-security should be merged into the cd
> >after a certain amount of time (3 months).
> >While i agree with the idea in principal it means updating the gpg keys
> >and changing packages for the 'stable' branch. So i have to disagree
> >with it when the 18 month lifetime is taken into consideration
> 
> I agree in principle also, but I'm not sure who would really benefit 
> from a mid-cycle update of the install and live isos.
> 
> Since, the Ubuntu policy is generally not to update package versions 
> within a release (hence no official Firefox 1.5 for breezy), then the 
> only updates would be bug fixes and security patches.  The installer 
> picks those up automatically at installation, unless you are installing 
> without a net connection. Conversely, if you don't have a net 
> connection, then the security fixes probably aren't as important.
> 
> It makes more sense for the users of the live CD, but where do you draw 
> the line on security and package updates? If we do a 3 month update, 
> what happens if a big bug shows up at month 4.5 or 5.5?

I remember discussing this with Mark way back before Warty released. We
decided at that point that we would not do point releases of ISO images
as a matter of routine, partly for the sort of reasons you outline
above, and partly because unless we were very careful it would introduce
significant confusion for consumers of CDs received through shipit as to
what exactly they were getting.

That policy hasn't changed in the intervening years, although we will
shortly be doing a point release of Ubuntu 5.10 to address a password
disclosure vulnerability in the installer itself (which has also been
worked around in security updates, so don't panic, you aren't vulnerable
if you're up-to-date; we just think it would be a good idea to fix the
installer too). That's pretty much the only scenario in which we'd
envisaged doing point releases up to now.

I wouldn't like to rule out point releases of Dapper. That's a special
case because of the long-term support.

For what it's worth, I do not recall the kubuntu.de folks ever coming to
me as the cdimage admin asking for point releases. If they had, I could
have told them the above and they would not have needed to put it in a
ransom note on their web site.

Cheers,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]




More information about the ubuntu-users mailing list