Ubuntu – Are security.ubuntu.com updates eventually merged into normal updates


Upon my observation, seems new packages will first appear in security.ubuntu.com, but if you upgrade later, they will appear in XX.archive.ubuntu.com (depends on your config),

Was that true ?

Best Answer

Short answer: no. Security updates never become "recommended" updates.

  • security.ubuntu.com is the same as archive.ubuntu.com (try pinging both and checking the IP they resolve to)
  • What matters for critical security updates is the -security repository, which is carried by all mirrors (e.g. precise-security)

    • The only reason I can think of that Ubuntu keeps using security.ubuntu.com instead of your local mirror is to minimize the risk of any problems if that mirror does not regularly sync to the master repository
    • If your mirror is updated regularly, you can just add/edit a line such as:
    deb http://xx.archive.ubuntu.com/ubuntu precise-security main restricted

From the official repository description:

  • "Important Security Updates (lucid-security)". Patches for security vulnerabilities in Ubuntu packages. They are managed by the Ubuntu Security Team and are designed to change the behavior of the package as little as possible -- in fact, the minimum required to resolve the security problem. As a result, they tend to be very low-risk to apply and all users are urged to apply security updates.
  • "Recommended Updates (lucid-updates)". Updates for serious bugs in Ubuntu packaging that do not affect the security of the system.
Related Question