6

I know about the difference between, for example, focal-security, focal-updates and focal-backports.
But /etc/apt/sources.list also has URLs for focal in addition to the others.

This is confusing. Is focal only what came packaged with the distro release? Or what was available at that point in time?
Or is it the initial version 1.0 of every package? Does it not get security updates?
Also, what's it called? The "default" repo / channel?

What would happen, for example, if I had only focal enabled, or only focal-security enabled?
What's the point in making a distinction between those two repos? Or is it just an alias for focal-security?

Related (but doesn't quite answer specifically about this difference):

geekley
  • 697

1 Answers1

10

This is addressed in the Security Team FAQ:

How are components and pockets used in the builds, and how do they affect security updates?

[...]

Ubuntu also has several pockets that further divide the archive: release, security, updates, proposed and backports. [...] The release pocket is simply the name of the release, and the other pockets are denoted by <release name>-<pocket>. For example, the release pocket for Ubuntu 16.04 LTS, the Xenial Xerus, is simply xenial, while the security pocket for Ubuntu 16.04 LTS is xenial-security. Packages in release, security and updates are supported by the Ubuntu Security team, while packages in backports are supported by the community and packages in proposed are the responsibility of the uploader. When packages are built, only certain pockets are available during the build:

  • release: during the development cycle, this is the only pocket that is used. Once the development version is released, the release pocket is frozen and does not change.

  • security: built with release and security. UpdateProcedures gives the process used for creating security updates.

  • proposed: built with release, security, updates and proposed

  • updates: as a matter of Ubuntu policy, packages in updates are not directly built, but rather copied from proposed after they have been tested. See StableReleaseUpdates for details. If a special circumstance warrants building a package in updates without going through proposed first, it would be built with release, security and updates (also, the default configuration for unofficial PPAs is to build with this configuration).

  • backports: built with release, security, updates and backports. See UbuntuBackports for details.

What repositories and pockets should I use to make sure my systems are up to date?

  • By default, Ubuntu systems have both the security and updates pockets enabled. Systems configured to use only the security pocket are also supported.

  • While packages are copied from security to updates frequently, it is recommended that systems always have the security pocket enabled, and use security.ubuntu.com for this pocket. For all other pockets feel free to use archive.ubuntu.com or an archive mirror{.https}. This combination will ensure you are able to download important updates immediately while taking advantage of the mirror network or archive.ubuntu.com for all other downloads. Ubuntu systems are configured in this manner by default.

So:

Is focal only what came packaged with the distro release?

Yes.

Does it not get security updates?

No.

Also, what's it called?

The "release" pocket.

What would happen, for example, if I had only focal enabled, or only focal-security enabled?

With only focal enabled, you'd be effectively limited to being able to install packages included in initial 20.04 release. With only focal-security enabled, you'd have a broken system, since you would quickly run into dependency problems (since not all dependencies would have had security updates, so some would still be only in focal).

muru
  • 207,228