Suggestion for Linux Distro (from PSA: Linux vulnerability)

Marco Sulla Marco.Sulla.Python at gmail.com
Sat Apr 16 10:49:17 EDT 2022 

On Sat, 16 Apr 2022 at 10:15, Peter J. Holzer <hjp-python at hjp.at> wrote:
> It doesn't (or at least you can't conclude that from the evidence you
> posted).
>
> There is a subdirectory called "debian" in the build directory of every
> .deb package. This is true on Debian, Ubuntu and every other
> distribution which uses the .deb package format. This directory is
> required by the build tools and it contains all the data (e.g. build
> instructions, dependencies, patches, description, extra documentation)
> which was added by the packager. The name of the directory does not
> imply that any of the files there was created by Debian. I have built
> quite a few packages myself and I'm not a member of the Debian team.

Actually I don't care if the package was made by Debian. I'm sure that
it does not, since the Ubuntu packages have other terminology in
versions. For example, the git package is version 2.17.1-1ubuntu0.10

The important fact is that I suppose it's quite evident that the
Ubuntu team uses Debian patches to release their security updates,
since the release notes are public and worldwide, made by a
professional company, they are not made by an amateur. Furthermore I
checked all the security updates my system released when we started
this discussion, and all of them have release notes that contain
information about security patches made by Debian. Only the security
updates have these infos. Is it an amazing coincidence? I suppose no.

Furthermore, you didn't answer my simple question: why does the
security update package contain metadata about Debian patches, if the
Ubuntu security team did not benefit from Debian security patches but
only from internal work? I suppose I have to answer myself: because
the patch applied by Ubuntu _is_ actually a Debian patch.

The more interesting fact is that I checked all the security updates
and it seems they are only applications of Debian patches. So it seems
that the work of the Ubuntu security team is only to apply Debian
security patches. If so, probably Debian is really more secure than
Ubuntu, since I don't know if all the security patches made by Debian
are applied.

More information about the Python-list mailing list