Tuesday, 23 July 2013

Re: Source packages appropriate by default?

On 24 July 2013 11:08, Scott Kitterman <ubuntu@kitterman.com> wrote:
> On Wednesday, July 24, 2013 11:00:40 AM Daniel J Blueman wrote:
>> Perhaps we have two issues here:
> ....
>> The 20% additional download due to sources [1] would help both issues,
>> but perhaps of bigger impact, trusting the country-level mirror for
>> the security updates?
> ...
> You aren't. Security updates are pushed first to security.ubuntu.com and then
> copied to archive.ubuntu.com and mirrored from there. The security pocket
> isn't mirrored so you always hit it directly and if a country mirror lags, you
> get the package from security.ubuntu.com. Also, the signing key is the same
> Ubuntu archive signing key whether you're getting a package form
> archive.ubuntu.com or a country mirror, so you aren't trusting the country
> mirror cryptographically either.

What I meant, if the country-level archive is sync'd every 12-24
hours, would it be sufficient to download the security pocket from
<cc>.archive.ubuntu.com? It is mirrored, so this would alleviate the
second issue.


ubuntu-devel mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel