I've been waiting for this a long time. Debian finally make proprietary drivers and newer software available. I've been using neon for a while, but now I can switch to debian with almost no compromises.
Announcement
Collapse
No announcement yet.
Debian 12.0 Released - Powered By Linux 6.1 LTS, Easier Non-Free Firmware Handling
Collapse
X
-
Originally posted by marlock View Postps: their wording about the average exposure time going down from 98 days to 1 day does seem to imply they are witholding security patches for an average 97 days delay between making them available for Pro and for normal open distro usage, which is terrible... if that's what they really meant...- Universe is supported by "the community". Meaning that if some external (non-Canonical) volunteer provides a security update, Canonical will review and help that person to upload that update to universe. If nobody volunteers, well, the vulnerable package remains unpatched, possibly until the distro version goes EOL.
- Universe is supported by "the community". Meaning that if some external (non-Canonical) volunteer provides a security update, Canonical will review and help that person to upload that update to universe. If nobody volunteers, well, the vulnerable package remains unpatched, possibly until the distro version goes EOL.
- Ubuntu Pro subscribers get access to another repository where Canonical provides security updates for (a subset of?) the packages in universe. These security updates are, AFAIU, never "released" to the universe repository.
Now, depending on whether you're a foaming-at-mouth Canonical fanboy with posters of Mark Shuttleworth in your bedroom, or you hate Ubuntu with the passion of a thousand suns (THERE CAN BE NO IN-BETWEEN POSITION!!!11), you can speculate what happens if a volunteer provides a security update for a universe package that is supported by Canonical and thus reduces the value of an Ubuntu Pro subscription.
Comment
-
going by their current pattern handling kernel updates, the Universe repo will probably receive the patch in normal timing, and in the Pro-Universe-subset repo the equivalent package might take a little while longer to get the canonical-authored patches replaced by the upstream changes, but this will eventually happen
not a problem since they're in separate repos
also canonical typically keeps the kernel in an older upstream base version but actually cherrypicks lots of patches from newer upstream versions and backports these along with their own work... note how they frequently adhere to an upstream kernel LTS version minus .1 and end package names with the package upstream version dash canonical subversion
Canonical is slowly learning the value of tracking upstream changes closer... very slowly... but doing all this doubled effort is still a big "thing" for themLast edited by marlock; 14 June 2023, 07:01 AM.
Comment
-
Originally posted by jabl View PostAs far as I understand, an Ubuntu release is largely a snapshot of Debian testing/sid. The main repo contains those packages which Canonical has decided to fully support (with, in some cases different versions from what Debian is shipping, plus various ubuntu specific packages and patches), and thus universe is essentially the rest of the Debian archive more or less unmodified (ignoring here restricted/multiverse and Debian contrib/non-free).
Such practices doesn't sound convincing at all. Therefore now I can't rely on current and future Ubuntu LTS, new Snap-based desktop and even Ubuntu Pro.
When other distros (e.g. Debian, Fedora) have maintenance/manpower issues they just drop packages from their repos. Sometimes it's disappointing but at least fair to their users.
Also in such case volunteers can step-in and take maintenance (example: Fedora's LibreOffice RPM).
Comment
-
Originally posted by marlock View Postgoing by their current pattern handling kernel updates, the Universe repo will receive the patch in normal timing, and the Pro-Universe-subset equivalent package might take a little while longer to get the canonical-authored patches replaced by the upstream changes, but this will eventually happen
Originally posted by marlock View Postthis will eventually happen
- Likes 1
Comment
-
ok, this is indeed weird as f... Ubuntu 22.04 is the current LTS, not an EOL version...
...and the patch exists but only for the ESM version, so it is quite explicitly "available with Ubuntu Pro" but not for anyone else
is this even the Universe repo or a more core one?
Ubuntu 22.04- node-jquery-ui - 1.13.1+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro - libjs-jquery-ui - 1.13.1+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
Comment
- node-jquery-ui - 1.13.1+dfsg-1ubuntu0.1~esm1
-
Originally posted by marlock View Postand circling back to Debian... is the same thing fixed there?
Comment
-
That might not automatically mean there is an open vulnerability in the Debian version of the package (it might not have been affected at all) but it sure is a nice big yellow flag to further look into
I do have my reservations towards Canonical and Ubuntu, but I've become more cautions about flaming them after reading what the Linux Mint devs had to say about Ubuntu while replying to users that criticized Ubuntu and asked them to rebase over Debian for their main flavours.
They do keep Linux Mint Debian Edition around as a proof-of-concept effort in case Ubuntu goes caput, but never really consider it worthwile to jump off the Ubuntu derivate distro bandwagon for their main flavours Cinnamon, Mate and XFCE.Last edited by marlock; 14 June 2023, 04:18 PM.
Comment
-
Originally posted by marlock View PostThat might not automatically mean there is an open vulnerability in the Debian version of the package (it might not have been affected at all) but it sure is a nice big yellow flag to further look into
- Likes 2
Comment
Comment