Newest Gnome versus LTS

Wed Jul 17 09:28:36 UTC 2019

On Wed, 17 Jul 2019 07:12:06 +0000, J.Witvliet at mindef.nl wrote:
>One of the things I noticed, is that 19.04 has  an up-2-date version
>of all sorts of security related packages. Eventhough those packages
>were upstream available before the release-date of 18.04, they choose
>not to include them.

Hi,

this is a feeble argument. Let me explain why.

First a user needs to understand in what way packages are maintained.

"Main

[snip] When you install software from the main component, you are
assured that the software will come with security updates and that
commercial technical support is available from Canonical." -
https://help.ubuntu.com/community/Repositories#Main

"Restricted

[snip] Please note that it may not be possible to provide complete
support for this software because we are unable to fix the software
ourselves - we can only forward problem reports to the actual authors.
[snip]" - https://help.ubuntu.com/community/Repositories#Restricted

"Universe

[snip] Canonical does not provide a guarantee of regular security
updates for software in the universe component, but will provide these
where they are made available by the community. Users should understand
the risk inherent in using these packages. [snip]" -
https://help.ubuntu.com/community/Repositories#Universe

"Multiverse

[snip] This software is not supported and usually cannot be
fixed or updated. Use it at your own risk." -
https://help.ubuntu.com/community/Repositories#Universe

Second a user needs to understand what security maintenance means.
Users cannot just rely on the good work of security teams.

Major distros provide detailed information, for Ubuntu
see https://usn.ubuntu.com/.

For Arch Linux see https://security.archlinux.org/.

How to use this information? You either need to read the notices or to
use a tool that takes a look at the affected packages. Some times
vulnerabilities are already known, but fixes do not exist.

For example on my Arch install are at least 9 official packages
vulnerable, but a fix is only available for one package:

[rocketmouse at archlinux ~]$ echo $(arch-audit -f "%n | " | sort) | sed s/.$//
chromium | gettext | glibc | inetutils | libmp4v2 | libtiff | openjpeg2 | python2 | sdl | sdl2 | unzip 
[rocketmouse at archlinux ~]$ arch-audit --upgradable --quiet
chromium>=75.0.3770.142-1

Most likely Ubuntu 16.04 packages from "main" provide "all sorts of
security related" upgrades. Yesterday I mentioned that 16.04 contains a
very risky package, but webkitgtk is from "universe", see
https://packages.ubuntu.com/xenial-updates/libwebkitgtk-1.0-0. This
package is still provided for 18.10,
https://packages.ubuntu.com/cosmic/libwebkitgtk-1.0-0.
It isn't available for 19.04, but such an issue could happen for
packages from 19.04, too.

_Even_ packages from the Ubuntu "main" repository or from official Arch
Linux repositories sometimes can't get a security fixes immediately.
The user needs to decide what to do with those packages. Packages from
other Ubuntu repositories might be unsupported and the user is warned
about it.

Note! New releases have fixes for old vulnerabilities, but they have
unknown new vulnerabilities.

The user has to do some security related maintenance as described
above. Running after the latest and greatest gains nothing at all,
since the Ubuntu security team does fix issues for old releases, too
and doesn't fix issues for unsupported packages of new releases, too.

Regards,
Ralf