Updated software notifications
Canonical provides timely, high-quality and tested security updates for all Ubuntu users for free for the lifetime of supported Ubuntu releases
Canonical publishes these updates to http://security.ubuntu.com which automatically triggers mirroring the updates to other parts of the Ubuntu archive
- Every three weeks, Certified Public Cloud (CPC) will generate images incorporating these updates (updates are always available to running instances as part of the normal update processes). Urgent updates may prompt image generation.
- Under normal circumstances, updates are provided Monday through Thursday only
- Emergency updates, while infrequent, may be provided at any time
Ubuntu Security prioritizes and provides updates to Ubuntu solely at its discretion taking into consideration all Ubuntu users as a whole.
By far, most security issues are public and the Ubuntu Security team tracks various sources to discover, triage and prioritize new issues.
Occasionally a security issue is embargoed and the Ubuntu Security team may have access to information regarding a security issue before it is made public. In these cases, Linux distributions and the affected software author agree to a Coordinated Release Date (CRD) where updates will only be released after this date. Importantly, the length of time that an issue is embargoed is limited and even more importantly, most often the patch information is changing up until the CRD. For the relatively rare times Canonical have advanced notice, Canonical will not forward detailed information along to other parties prior to the issue going public.
Sometimes requests arrive for advanced notice or access to security patches prior to the USN, but this cannot be given without risking losing access to the information ourselves, which would prevent us from preparing those updates ahead of time. This would be a disservice to those requesting the advance notice, our commercial partners and importantly, our users (wherever they may be).
Other times there are instead requests for access to the updated packages prior to USN publication. This cannot be done for embargoed updates for the reasons stated above. Unfortunately, this is also impractical for public issues because updates are released once they are QA'd by Canonical. The only way QA'd software can be made prior to USN publication would be to delay USN publication, which would be a disservice to our users. Interested third parties who want to participate in providing QA feedback for a particular security fix that is important to them may engage with Canonical to inquire about the status of a particular update and, if desired, request pre-QA'd packages be made available via the Ubuntu Security proposed ppa before Canonical begins their own QA. In these cases, Canonical will consider 3rd party testing feedback but may publish updates before receiving 3rd party feedback.