3

I know about the difference between, for example, focal-security, focal-updates and focal-backports.
But /etc/apt/sources.list also has URLs for focal in addition to the others.

This is confusing. Is focal only what came packaged with the distro release? Or what was available at that point in time?
Or is it the initial version 1.0 of every package? Does it not get security updates?
Also, what's it called? The "default" repo / channel?

What would happen, for example, if I had only focal enabled, or only focal-security enabled?
What's the point in making a distinction between those two repos? Or is it just an alias for focal-security?

Related (but doesn't quite answer specifically about this difference):

geekley
  • 549

1 Answers1

7

This is addressed in the Security Team FAQ:

How are components and pockets used in the builds, and how do they affect security updates?

[...]

Ubuntu also has several pockets that further divide the archive: release, security, updates, proposed and backports. [...] The release pocket is simply the name of the release, and the other pockets are denoted by <release name>-<pocket>. For example, the release pocket for Ubuntu 16.04 LTS, the Xenial Xerus, is simply xenial, while the security pocket for Ubuntu 16.04 LTS is xenial-security. Packages in release, security and updates are supported by the Ubuntu Security team, while packages in backports are supported by the community and packages in proposed are the responsibility of the uploader. When packages are built, only certain pockets are available during the build:

  • release: during the development cycle, this is the only pocket that is used. Once the development version is released, the release pocket is frozen and does not change.

  • security: built with release and security. UpdateProcedures gives the process used for creating security updates.

  • proposed: built with release, security, updates and proposed

  • updates: as a matter of Ubuntu policy, packages in updates are not directly built, but rather copied from proposed after they have been tested. See StableReleaseUpdates for details. If a special circumstance warrants building a package in updates without going through proposed first, it would be built with release, security and updates (also, the default configuration for unofficial PPAs is to build with this configuration).

  • backports: built with release, security, updates and backports. See UbuntuBackports for details.

What repositories and pockets should I use to make sure my systems are up to date?

  • By default, Ubuntu systems have both the security and updates pockets enabled. Systems configured to use only the security pocket are also supported.

  • While packages are copied from security to updates frequently, it is recommended that systems always have the security pocket enabled, and use security.ubuntu.com for this pocket. For all other pockets feel free to use archive.ubuntu.com or an archive mirror{.https}. This combination will ensure you are able to download important updates immediately while taking advantage of the mirror network or archive.ubuntu.com for all other downloads. Ubuntu systems are configured in this manner by default.

So:

Is focal only what came packaged with the distro release?

Yes.

Does it not get security updates?

No.

Also, what's it called?

The "release" pocket.

What would happen, for example, if I had only focal enabled, or only focal-security enabled?

With only focal enabled, you'd be effectively limited to being able to install packages included in initial 20.04 release. With only focal-security enabled, you'd have a broken system, since you would quickly run into dependency problems (since not all dependencies would have had security updates, so some would still be only in focal).

muru
  • 197,895
  • 55
  • 485
  • 740
  • Thanks! That explains a lot! So, would it be right to assume universe and multiverse pkgs are never in "release" pocket? I suppose since they are not "main" (officially supported) they wouldn't be bundled with a Ubuntu installation, right? Also, does "release" pocket apply to point releases too, like 20.04.1? – geekley Oct 07 '20 at 18:05
  • No, components are orthogonal to pockets. All packages in all components at the time of release are frozen in the release pocket. – muru Oct 08 '20 at 00:10
  • So, every time a package is built, that build is associated with both a component and pocket? You can think of it as each component can be subdivided into each pockets, or that each pocket can be subdivided into each component. Any combination of components and pockets will have packages. Any builds included in an Ubuntu distribution when the distribution was made will go into the release pocket. This doesn't mean they came installed with the distribution though, it just means that you can apt install them without having to first bring in any external repositories / PPAs. Is this all correct? – Kevin Wheeler Jul 26 '22 at 17:35
  • 1
    @KevinWheeler I'm not sure about the build time association. IIRC a particular when Ubuntu does an update of a package in a stable release, it starts in-proposed and then moves to -updates or -security without (necessarily) changing versions in between, so a particular build can be associated with different pockets at different times. The rest seems correct. – muru Jul 27 '22 at 02:05