On Sun, Aug 03, 2014 at 09:38:51PM +0200, Alias for Public Use wrote: > I wonder about the update policies for universe packages. > > In particular I have noticed the drupal 7 package in the community > repository is at verion 7.26, wheras the current version is 7.30.
The version in Trusty is 7.26-1. The version in the current development release (Utopic) is 7.30-1. The version in an existing release is not updated except for security or high impact bug fixes. https://wiki.ubuntu.com/StableReleaseUpdates has rationale and criteria. [...] > Is there some kind of mechanism to issue resyncs/create an updated > package? Yes. If someone prepares a debdiff, or if a fix is just a straight sync from Debian, the Ubuntu Security Team will be happy to review and sponsor it. https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors has the procedure. > Escpecially for packages which have potentially large security issues > and which have their own update mechanisms and which can be installed > into a working ubuntu server with minimal invasiveness... Using upstreams' own update mechanisms has in general never been acceptable for distributions. It worries me when I see that, for example, the "normal" way to upgrade Wordpress is from its own web UI. Surely the ability to be able to modify itself remotely through itself (in terms of a remote sysadmin, as opposed to a remote upstream that is verified cryptographically) is a security issue in itself? > ...I believe there should be an update schedule or the package should > not be available at all. What do you mean by "an update schedule"? Are you asking that that somebody apply, test and upload regular security updates? If so, then who are you suggesting should do this? Or are you just asking what the mechanism is to provide security updates?
signature.asc
Description: Digital signature
-- Ubuntu-motu mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
