How do I find the full "community history" of how the updates listed by "software updater" made it into my Ubuntu machine?
The question is for the general workflow to obtain the "community history" of updates, not the "community history" of all updates available.
What I am after is for example
- Patch(es) related to the update on mailing list(s)
- Community discussions about the update
- Source code related to the update
- Git commits related to the update
- People responsible for the update
- How does software updater know which repositories to fetch updates from?
- If software updater finds updates for a specific package in different repositories, but one is older and the other is newer, how does it select?
- etc
Background:
It seems about once or a couple of times each week the "Software updater" displays:
Updated software is available for this computer. Do you want to install it now?
From what I understand, these updates are the same as SRUs – Stable Release Updates? Or are only updates from Canonical/Ubuntu called "SRUs", while non-Canonical/Ubuntu updates are not called SRUs?
Here is a screenshot of my "Software Updater", how do I for example find the "community origin" (patch(es), discussions, etc, if any) of the Chrome update (Available version: 44.0.2403.157-1) which is highlighted in the screenshot? Then when this update is installed, where do I find info about it on my machine?
How do I list all the updates installed on my machine and how do I list all the available updates that are not yet installed?
The suggested duplicate of "Show apt-get installed packages history via commandline?" asks about listing packages installed, my question is about updates and how to trace the origin of the updates and how they make into my Ubuntu machine.
Best Answer
First off, an important clarification:
The terms "Stable Release Updates" and "Security Updates" (don't forget them!) apply to packages in main, universe, restricted and multiverse. PPAs or other third-party repositories may have their own release schedules and policies. In your screenshot I see "google-chrome-stable" -- this is not a Ubuntu package and it does not follow the Ubuntu release schedule.
Having said that, here's what you asked for:
For every Ubuntu update, the point of reference is the Launchpad bug. This is where you can find most of the information related to the problem(s) and solution(s).
You can get the bug numbers by checking the changelog of each package. For example, as of writing, this is the last entry from
apt-get changelog nautilus:As you can see, the log entry refers to bug #1453655.
For security bugs, generally the bug report is private (to prevent malicious people from accessing critical information) and, generally, instead of the Launchpad bug number you'll find the CVE number.
Patches applied by Ubuntu (or by Debian) are in the source package, in the
debian/patchesdirectory. If you want to download the source packages for Nautilus, useapt-get source nautilus.If a Stable Release Update or a Security Update introduces a new version of the software (e.g. a new version of Firefox), you'll have to look upstream for the full delta.
Not all package sources are available under version control (git, hg, bzr, ...).
Discussion generally happen on Launchpad. If necessary, the ubuntu-devel mailing list may be used too.
People responsible for updates are the people who provide the updates (package maintainers or contributors), the Ubuntu SRU Team and the Ubuntu Security Team.
Note that not all of these people are Canonical employees. Be kind and don't forget those contributors who use their spare time to maintain stability and security in Ubuntu :-)
The process for Stable Release Updates and Security Updates is documented on the Ubuntu Wiki: https://wiki.ubuntu.com/StableReleaseUpdates and https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures