Ubuntu – Package version updates policy


Not sure if here it's the right place to ask, if not – please point me to the right direction.

Let's say there's a package, for the sake of real-world example – bind9. In Precise and in Quantal it's version 9.8.1. The original developer (ISC) currently provide versions 9.8.4 which is a bugfix release in the 9.8 line, and 9.9.2 which is a "new features" branch. It looks like when a security issue is encountered, the specific bugfix is backported into 9.8.1.

Now the question: Why maintainers don't just update to the latest bugfix release ? Why to backport only certain patches ? Is it intentionally or just there's no maintaner who would take the effort to update to the latest bugfix release ?

Best Answer

Ubuntu's policy on this is described on the Stable Release Updates page in the Wiki.

These policies are all driven by the (perfectly reasonable) fear of introducing regressions and causing inconvenience to existing users for bugs which didn't otherwise affect them. If bind9 is updated in a stable release and production servers fail or unacceptably change behaviour as a result, then that's a disaster for Ubuntu. Users will legitimately complain that a stable release failed to remain stable for them, and many would not consider "upstream did it" as a reasonable excuse; especially for the majority of them for whom the bugfix update was unnecessary anyway. "Unacceptably change behaviour" can mean different things for different users; for a stable release, any change in behaviour may be deemed unacceptable.

The SRU policy of minimal, verifiable fixes to stable releases only serves to prevent this scenario.

If upstreams provide bugfix releases, then these can approved for acceptance on a standing basis, subject to the micro release exceptions policy.

But most packages in Ubuntu are based on Debian. Deviating from Debian always comes at the cost of extra work and so this kind of change can only be done if someone can commit to maintaining the extra burden that this creates.

The stable release team makes decisions on individual updates, and the technical board makes decisions on standing micro release exceptions.

Perhaps bind's bugfix release branch is suitable for a micro release exception. In this case, somebody needs to drive, gather the upstream policy, regression history and so forth, put together a proposal and put it forward to the technical board for consideration.