On Thu, May 09, 2024 at 07:23:09AM -0400, David A. Desrosiers wrote: > Let's also not lose sight of the fact that if proposed had been enabled by > default with the current LTS release, the xz exposure and impact would have > been a lot broader than it was, and also a lot harder to clean up and > retract from.
I don't think that's true. With NotAutomatic, users would still have required to explicitly install the package from proposed (with -t or equivalent), and what would have caused them to do that? > As it was, the customer I support mirrored -proposed into their internal > aptly during the Feb 28-March 30 window when the exploited versions of xz > packages were resident in noble-proposed, and some of their machines had it > deployed as part of internal automation. They had to go through a manual > exercise to delete the pocket from their mirror and specifically the > xz-utils packages for a daily span of 30 days of mirroring and resilver all > of their aptly package lists to redact that and remove their own potential > for exposure. This sounds like a counterexample to me - it sounds like a user deliberately chose to opt in to the cutting edge and faced the consequences. That's always going to be the case for those who opt-in. If had chosen to already add proposed by default, that's wouldn't have changed the impact for this particular user. > Let's err on the side of being a bit more cautious here, so we don't leave > ourselves open to another possible 'adventure' that could sneak through > unnoticed, before our users/customers are impacted. -proposed explicitly > disabled by default has a purpose and requires being manually enabled, and > once we flip that position, we may lose the value that explicit testing of > packages in -proposed provides. From an exposure perspective, I don't see how requiring manual enablement via sources.list is different from requiring manual opt-in through apt with -t. In both cases the user has to take an explicit opt-in step. Further, before we had NotAutomatic for proposed, it was one step before (add-apt-repository -p proposed) and I'm proposing that it be one step now that we have NotAutomatic (apt install -t <series>-proposed). Why you think this is worse? Robie
signature.asc
Description: PGP signature
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
