Tuesday, 23 July 2013

Re: Source packages appropriate by default?

On Wednesday, July 24, 2013 11:00:40 AM Daniel J Blueman wrote:
> Perhaps we have two issues here:
....
> The 20% additional download due to sources [1] would help both issues,
> but perhaps of bigger impact, trusting the country-level mirror for
> the security updates?
...
You aren't. Security updates are pushed first to security.ubuntu.com and then
copied to archive.ubuntu.com and mirrored from there. The security pocket
isn't mirrored so you always hit it directly and if a country mirror lags, you
get the package from security.ubuntu.com. Also, the signing key is the same
Ubuntu archive signing key whether you're getting a package form
archive.ubuntu.com or a country mirror, so you aren't trusting the country
mirror cryptographically either.

Scott K

--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel