On Fri, 11 Mar 2022 at 19:10, Michael Torrie <torriem@gmail.com> wrote:
> Both Debian stable and Ubuntu LTS state they have a five year support
> life cycle.

Yes, but it seems that official security support in Debian ends after
three years:

"Debian LTS is not handled by the Debian security team, but by a
separate group of volunteers and companies interested in making it a
success"
https://wiki.debian.org/LTS

This is the only problem for me.

Marco Sulla <Marco.Sulla.Python@gmail.com> writes:

> On Fri, 11 Mar 2022 at 19:10, Michael Torrie <torriem@gmail.com> wrote:
>> Both Debian stable and Ubuntu LTS state they have a five year support
>> life cycle.
>
> Yes, but it seems that official security support in Debian ends after
> three years:
>
> "Debian LTS is not handled by the Debian security team, but by a
> separate group of volunteers and companies interested in making it a
> success"
> https://wiki.debian.org/LTS
>
> This is the only problem for me.

I am not sure how different the two situations are. Ubuntu is
presumably relying on the Debian security team as well as other
volunteers and at least one company, namely Canonical.

The sysadmins I know who are interested in long-term stability and
avoiding unnecessary OS updates use Debian rather than Ubuntu, but
that's maybe just my bubble.

Cheers,

Loris

--
This signature is currently under construction.

On Mon, 14 Mar 2022 at 18:33, Loris Bennett <loris.bennett@fu-berlin.de> wrote:
> I am not sure how different the two situations are. Ubuntu is
> presumably relying on the Debian security team as well as other
> volunteers and at least one company, namely Canonical.

So do you think that Canonical contributes to the LTS security team of
Debian? It could be. In this perspective, there should be little
difference between Debian and Ubuntu. Debian 11 with XFCE is really
tempting...

Dear Loris,

"Loris Bennett" <loris.bennett@fu-berlin.de> writes:

> (...thanks...)
> The sysadmins I know who are interested in long-term stability and
> avoiding unnecessary OS updates use Debian rather than Ubuntu,

+1; Reasonable!

Sincerely, Linux fan Byung-Hee

--
^고맙습니다 _地平天成_ 감사합니다_^))//

"Loris Bennett" <loris.bennett@fu-berlin.de> writes:

> Marco Sulla <Marco.Sulla.Python@gmail.com> writes:
>
>> On Fri, 11 Mar 2022 at 19:10, Michael Torrie <torriem@gmail.com> wrote:
>>> Both Debian stable and Ubuntu LTS state they have a five year support
>>> life cycle.
>>
>> Yes, but it seems that official security support in Debian ends after
>> three years:
>>
>> "Debian LTS is not handled by the Debian security team, but by a
>> separate group of volunteers and companies interested in making it a
>> success"
>> https://wiki.debian.org/LTS
>>
>> This is the only problem for me.
>
> I am not sure how different the two situations are. Ubuntu is
> presumably relying on the Debian security team as well as other
> volunteers and at least one company, namely Canonical.

Nope. One important reason that I really hate that people use Ubuntu
for servers is that Ubuntu wants to be up to date. So Ubuntu starts
very close to Debian security wise, but will shift rapidly.

--
Cecil Westerhof
Senior Software Engineer
LinkedIn: http://www.linkedin.com/in/cecilwesterhof

On 2022-03-28 15:35:07 +0200, Cecil Westerhof via Python-list wrote:
> "Loris Bennett" <loris.bennett@fu-berlin.de> writes:
> > Ubuntu is presumably relying on the Debian security team as well as
> > other volunteers and at least one company, namely Canonical.
>
> Nope. One important reason that I really hate that people use Ubuntu
> for servers is that Ubuntu wants to be up to date.

Not sure what you mean by that.

There is an Ubuntu LTS release every 2 years. There is also a Debian
release roughly every 2 years (although not on quite as strict a
schedule). So that's very similar.

> So Ubuntu starts very close to Debian security wise, but will shift
> rapidly.

They are are about a year apart, so they will usually contain different
versions of most packages right from the start. So the Ubuntu and Debian
security teams probably can't benefit much from each other.

hp

--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | hjp@hjp.at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"

On Tue, 29 Mar 2022 at 00:10, Peter J. Holzer <hjp-python@hjp.at> wrote:
> They are are about a year apart, so they will usually contain different
> versions of most packages right from the start. So the Ubuntu and Debian
> security teams probably can't benefit much from each other.

Are you sure? Since LTS of Debian and Ubuntu lasts 5 years, I suppose
the versions of the packages should overlap at some point in the past.

On 2022-03-30 08:48:36 +0200, Marco Sulla wrote:
> On Tue, 29 Mar 2022 at 00:10, Peter J. Holzer <hjp-python@hjp.at> wrote:
> > They are are about a year apart, so they will usually contain different
> > versions of most packages right from the start. So the Ubuntu and Debian
> > security teams probably can't benefit much from each other.
>
> Are you sure? Since LTS of Debian and Ubuntu lasts 5 years, I suppose
> the versions of the packages should overlap at some point in the past.

Standard policy (there are exceptions) on most distros is to stay with
the same version of any package for the entire lifetime. So for example,
Ubuntu 20.04 was released with Apache 2.4.41 and Python 3.8.10 and
Debian 11 was released with Apache 2.4.53 and Python 3.9.2 and they are
still on these versions. Any security fixes and other critical bug fixes
were back-ported to these versions.

hp

--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | hjp@hjp.at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"

"Peter J. Holzer" <hjp-python@hjp.at> writes:

> On 2022-03-28 15:35:07 +0200, Cecil Westerhof via Python-list wrote:
>> "Loris Bennett" <loris.bennett@fu-berlin.de> writes:
>> > Ubuntu is presumably relying on the Debian security team as well as
>> > other volunteers and at least one company, namely Canonical.
>>
>> Nope. One important reason that I really hate that people use Ubuntu
>> for servers is that Ubuntu wants to be up to date.
>
> Not sure what you mean by that.
>
> There is an Ubuntu LTS release every 2 years. There is also a Debian
> release roughly every 2 years (although not on quite as strict a
> schedule). So that's very similar.
>
>> So Ubuntu starts very close to Debian security wise, but will shift
>> rapidly.
>
> They are are about a year apart, so they will usually contain different
> versions of most packages right from the start. So the Ubuntu and Debian
> security teams probably can't benefit much from each other.

That is is what I partly mean.

Debian is very big on security and stability. Most people think that
Ubuntu is that also, because it is based on Debian. But Ubuntu wants
also provide the newest versions of software and this will affect the
stability and security negatively.
Even for a desktop I find stability and security more important as the
newest versions. That is why I even for the desktop use Debian.
Personally I find it strange that people choose newest versions over
stability and security for a server.

--
Cecil Westerhof
Senior Software Engineer
LinkedIn: http://www.linkedin.com/in/cecilwesterhof

"Peter J. Holzer" <hjp-python@hjp.at> writes:

> On 2022-03-30 08:48:36 +0200, Marco Sulla wrote:
>> On Tue, 29 Mar 2022 at 00:10, Peter J. Holzer <hjp-python@hjp.at> wrote:
>> > They are are about a year apart, so they will usually contain different
>> > versions of most packages right from the start. So the Ubuntu and Debian
>> > security teams probably can't benefit much from each other.
>>
>> Are you sure? Since LTS of Debian and Ubuntu lasts 5 years, I suppose
>> the versions of the packages should overlap at some point in the past.
>
> Standard policy (there are exceptions) on most distros is to stay with
> the same version of any package for the entire lifetime. So for example,
> Ubuntu 20.04 was released with Apache 2.4.41 and Python 3.8.10 and
> Debian 11 was released with Apache 2.4.53 and Python 3.9.2 and they are
> still on these versions. Any security fixes and other critical bug fixes
> were back-ported to these versions.

Are you sure? In the past this was not the case, but it is possible
that this has changed. (I do not really follow other distributions. I
am quite happy with Debian.)

--
Cecil Westerhof
Senior Software Engineer
LinkedIn: http://www.linkedin.com/in/cecilwesterhof

On 2022-03-31 09:46:14 +0200, Cecil Westerhof via Python-list wrote:
> "Peter J. Holzer" <hjp-python@hjp.at> writes:
> > Standard policy (there are exceptions) on most distros is to stay with
> > the same version of any package for the entire lifetime. So for example,
> > Ubuntu 20.04 was released with Apache 2.4.41 and Python 3.8.10 and
> > Debian 11 was released with Apache 2.4.53 and Python 3.9.2 and they are
> > still on these versions. Any security fixes and other critical bug fixes
> > were back-ported to these versions.
>
> Are you sure? In the past this was not the case, but it is possible
> that this has changed. (I do not really follow other distributions. I
> am quite happy with Debian.)

This has always been the case with Debian (they even created a special
repo for packages where this wasn't feasible, like browsers (which
typically update every few weeks and are too large for the security team
to backport security fixes).

In my experience it's also the case for Ubuntu (see the version numbers
I posted).

It also was the case for Redhat, but they seem to have switched to a
rolling updates model some time ago. I'm not sure how they handle that
now.

hp

--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | hjp@hjp.at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"

On Thu, 31 Mar 2022 at 18:38, Cecil Westerhof via Python-list
<python-list@python.org> wrote:
> Most people think that
> Ubuntu is that also, because it is based on Debian. But Ubuntu wants
> also provide the newest versions of software and this will affect the
> stability and security negatively.

I think you're referring to the fact that Ubuntu releases a new stable
version every 6 months, while Debian every 2 years. This is true, but
Ubuntu also releases a LTS every 2 years. You can install a LTS and
change the options so you'll update the system only where a new LTS is
coming out. Furthermore you're not forced to upgrade, you can do it
when the LTS comes to the end.

On the other hand, you can live on the edge with Debian too. You can
install an unstable branch.

Furthermore, there's the company factor. According to Google, Debian
has about 1k devs, while Ubuntu only about 250. But these devs work
full time on Ubuntu and they are paid for. Not sure this is not an
important point. For what I know, historically the distros with the
reputation to be more stable are distros maintained by companies, Red
Hat and Gentoo for example.

About stability and security, I can't disagree. But I suppose the
people that use the unstable version of some Linux distro are useful
for testing and reporting bugs, also security one. So they contribute
to the stable versions, and I think we have to be grateful to these
"pioneers".

Marco Sulla <Marco.Sulla.Python@gmail.com> writes:

> On Thu, 31 Mar 2022 at 18:38, Cecil Westerhof via Python-list
> <python-list@python.org> wrote:
>> Most people think that
>> Ubuntu is that also, because it is based on Debian. But Ubuntu wants
>> also provide the newest versions of software and this will affect the
>> stability and security negatively.
>
> I think you're referring to the fact that Ubuntu releases a new stable
> version every 6 months, while Debian every 2 years. This is true, but
> Ubuntu also releases a LTS every 2 years. You can install a LTS and
> change the options so you'll update the system only where a new LTS is
> coming out. Furthermore you're not forced to upgrade, you can do it
> when the LTS comes to the end.

No I am referring to the fact that Debian is focused on stability and
security and Ubuntu is more focused on latest versions. When Ubuntu
brings out a new version it is based on Debian and the risks are the
same. But after that Ubuntu installs its own updates and diverges from
Debian. So it has more cutting edge versions, but less stability and
security.
For a desktop that does not have to be a problem, but for a server I
should opt for stability and security instead of cutting edge. Unless
there is a very good reason otherwise.

> On the other hand, you can live on the edge with Debian too. You can
> install an unstable branch.

And testing, between stable and unstable.

> Furthermore, there's the company factor. According to Google, Debian
> has about 1k devs, while Ubuntu only about 250. But these devs work
> full time on Ubuntu and they are paid for. Not sure this is not an
> important point. For what I know, historically the distros with the
> reputation to be more stable are distros maintained by companies, Red
> Hat and Gentoo for example.

It is also what you focus on.

I am no expert, but as I understood it, Debian is the most stable
Linux distribution.
(Was one of the reasons to switch to it.)

> About stability and security, I can't disagree. But I suppose the
> people that use the unstable version of some Linux distro are useful
> for testing and reporting bugs, also security one. So they contribute
> to the stable versions, and I think we have to be grateful to these
> "pioneers".

I have no problem with people using 'unstable' distributions. What I
do not understand is that people/companies use less stable
distributions for critical servers for no good reason.

--
Cecil Westerhof
Senior Software Engineer
LinkedIn: http://www.linkedin.com/in/cecilwesterhof

On Tue, 29 Mar 2022 at 00:10, Peter J. Holzer <hjp-python@hjp.at> wrote:
> They are are about a year apart, so they will usually contain different
> versions of most packages right from the start. So the Ubuntu and Debian
> security teams probably can't benefit much from each other.

Well, this is what my updater on Lubuntu says to me today:

Changes for tcpdump versions:
Installed version: 4.9.3-0ubuntu0.18.04.1
Available version: 4.9.3-0ubuntu0.18.04.2

Version 4.9.3-0ubuntu0.18.04.2:

* SECURITY UPDATE: buffer overflow in read_infile
- debian/patches/CVE-2018-16301.patch: Add check of
file size before allocating and reading content in
tcpdump.c and netdissect-stdinc.h.
- CVE-2018-16301
* SECURITY UPDATE: resource exhaustion with big packets
- debian/patches/CVE-2020-8037.patch: Add a limit to the
amount of space that can be allocated when reading the
packet.
- CVE-2020-8037

I use an LTS version. So it seems that Ubuntu benefits from Debian
security patches. Not sure about the contrary.

On 2022-04-12 21:03:00 +0200, Marco Sulla wrote:
> On Tue, 29 Mar 2022 at 00:10, Peter J. Holzer <hjp-python@hjp.at> wrote:
> > They are are about a year apart, so they will usually contain different
> > versions of most packages right from the start. So the Ubuntu and Debian
> > security teams probably can't benefit much from each other.
>
> Well, this is what my updater on Lubuntu says to me today:
>
> Changes for tcpdump versions:
> Installed version: 4.9.3-0ubuntu0.18.04.1
> Available version: 4.9.3-0ubuntu0.18.04.2
>
> Version 4.9.3-0ubuntu0.18.04.2:
>
> * SECURITY UPDATE: buffer overflow in read_infile
> - debian/patches/CVE-2018-16301.patch: Add check of
> file size before allocating and reading content in
> tcpdump.c and netdissect-stdinc.h.
> - CVE-2018-16301
> * SECURITY UPDATE: resource exhaustion with big packets
> - debian/patches/CVE-2020-8037.patch: Add a limit to the
> amount of space that can be allocated when reading the
> packet.
> - CVE-2020-8037
>
> I use an LTS version. So it seems that Ubuntu benefits from Debian
> security patches.

Why do you think so? Because the release notes mention debian/patches/*.patch?
This may be an artefact of the build process. The build tools for .deb
packages expect all kinds of meta-data to live in a subdirectory called
"debian", even on non-debian systems. This includes patches, at least if
the maintainer is using quilt (which AFAIK is currently the recommended
tool for that purpose).

OTOH tcpdump would be one of the those packages where Ubuntu could use a
Debian patch directly: 4.9.3 has been the latest version for quite some
time (I have it in Debian 9, Ubuntu 18, Debian 10 and Ubuntu 20, but not
in Debian 11 (4.99.0)), so if any of those is patched, the others can
(almost certainly) use the patch with little or no changes). I think
this is rare, though: Packages with frequent security patches tend to
have frequent feature updates, too.

hp

--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | hjp@hjp.at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"

On Wed, 13 Apr 2022 at 20:05, Peter J. Holzer <hjp-python@hjp.at> wrote:
>
> On 2022-04-12 21:03:00 +0200, Marco Sulla wrote:
> > On Tue, 29 Mar 2022 at 00:10, Peter J. Holzer <hjp-python@hjp.at> wrote:
> > > They are are about a year apart, so they will usually contain different
> > > versions of most packages right from the start. So the Ubuntu and Debian
> > > security teams probably can't benefit much from each other.
> >
> > Well, this is what my updater on Lubuntu says to me today:
> >
> > Changes for tcpdump versions:
> > Installed version: 4.9.3-0ubuntu0.18.04.1
> > Available version: 4.9.3-0ubuntu0.18.04.2
> >
> > Version 4.9.3-0ubuntu0.18.04.2:
> >
> > * SECURITY UPDATE: buffer overflow in read_infile
> > - debian/patches/CVE-2018-16301.patch: Add check of
> > file size before allocating and reading content in
> > tcpdump.c and netdissect-stdinc.h.
> > - CVE-2018-16301
> > * SECURITY UPDATE: resource exhaustion with big packets
> > - debian/patches/CVE-2020-8037.patch: Add a limit to the
> > amount of space that can be allocated when reading the
> > packet.
> > - CVE-2020-8037
> >
> > I use an LTS version. So it seems that Ubuntu benefits from Debian
> > security patches.
>
> Why do you think so? Because the release notes mention debian/patches/*.patch?

Of course.

> This may be an artefact of the build process. The build tools for .deb
> packages expect all kinds of meta-data to live in a subdirectory called
> "debian", even on non-debian systems. This includes patches, at least if
> the maintainer is using quilt (which AFAIK is currently the recommended
> tool for that purpose).

And why does the security update package contain metadata about Debian
patches, if the Ubuntu security team did not benefit from Debian
security patches but only from internal work?

> OTOH tcpdump would be one of the those packages where Ubuntu could use a
> Debian patch directly [...]

It doesn't seem so. This is a fresh new security update:

Changes for git versions:
Installed version: 1:2.17.1-1ubuntu0.9
Available version: 1:2.17.1-1ubuntu0.10

Version 1:2.17.1-1ubuntu0.10:

* SECURITY UPDATE: Run commands in diff users
- debian/patches/CVE-2022-24765-*.patch: fix GIT_CEILING_DIRECTORIES; add
an owner check for the top-level-directory; add a function to
determine whether a path is owned by the current user in patch.c,
t/t0060-path-utils.sh, setup.c, compat/mingw.c, compat/mingw.h,
git-compat-util.hi, config.c, config.h.
- CVE-2022-24765

I checked packages.debian.org and git 2.17 was never on Debian:

Package git

stretch (oldoldstable) (vcs): fast, scalable, distributed revision
control system
1:2.11.0-3+deb9u7: amd64 arm64 armel armhf i386 mips mips64el mipsel
ppc64el s390x
stretch-backports (vcs): fast, scalable, distributed revision control system
1:2.20.1-1~bpo9+1: amd64 arm64 armel armhf i386 mips mips64el mipsel
ppc64el s390x
buster (oldstable) (vcs): fast, scalable, distributed revision control system
1:2.20.1-2+deb10u3: amd64 arm64 armel armhf i386 mips mips64el mipsel
ppc64el s390x

etc.
https://packages.debian.org/search?keywords=git

On 2022-04-14 19:31:58 +0200, Marco Sulla wrote:
> On Wed, 13 Apr 2022 at 20:05, Peter J. Holzer <hjp-python@hjp.at> wrote:
> >
> > On 2022-04-12 21:03:00 +0200, Marco Sulla wrote:
> > > On Tue, 29 Mar 2022 at 00:10, Peter J. Holzer <hjp-python@hjp.at> wrote:
> > > > They are are about a year apart, so they will usually contain
> > > > different versions of most packages right from the start. So the
> > > > Ubuntu and Debian security teams probably can't benefit much
> > > > from each other.
> > >
> > > Well, this is what my updater on Lubuntu says to me today:
[...]
> > > - debian/patches/CVE-2018-16301.patch: Add check of
[...]
> > > - debian/patches/CVE-2020-8037.patch: Add a limit to the
[...]
> > > I use an LTS version. So it seems that Ubuntu benefits from Debian
> > > security patches.
> >
> > Why do you think so? Because the release notes mention
> > debian/patches/*.patch?
>
> Of course.
>
> > This may be an artefact of the build process. The build tools for .deb
> > packages expect all kinds of meta-data to live in a subdirectory called
> > "debian", even on non-debian systems. This includes patches, at least if
> > the maintainer is using quilt (which AFAIK is currently the recommended
> > tool for that purpose).
>
> And why does the security update package contain metadata about Debian
> patches,

It doesn't (or at least you can't conclude that from the evidence you
posted).

There is a subdirectory called "debian" in the build directory of every
.deb package. This is true on Debian, Ubuntu and every other
distribution which uses the .deb package format. This directory is
required by the build tools and it contains all the data (e.g. build
instructions, dependencies, patches, description, extra documentation)
which was added by the packager. The name of the directory does not
imply that any of the files there was created by Debian. I have built
quite a few packages myself and I'm not a member of the Debian team.

hp

--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | hjp@hjp.at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"

On Sat, 16 Apr 2022 at 10:15, Peter J. Holzer <hjp-python@hjp.at> wrote:
> It doesn't (or at least you can't conclude that from the evidence you
> posted).
>
> There is a subdirectory called "debian" in the build directory of every
> .deb package. This is true on Debian, Ubuntu and every other
> distribution which uses the .deb package format. This directory is
> required by the build tools and it contains all the data (e.g. build
> instructions, dependencies, patches, description, extra documentation)
> which was added by the packager. The name of the directory does not
> imply that any of the files there was created by Debian. I have built
> quite a few packages myself and I'm not a member of the Debian team.

Actually I don't care if the package was made by Debian. I'm sure that
it does not, since the Ubuntu packages have other terminology in
versions. For example, the git package is version 2.17.1-1ubuntu0.10

The important fact is that I suppose it's quite evident that the
Ubuntu team uses Debian patches to release their security updates,
since the release notes are public and worldwide, made by a
professional company, they are not made by an amateur. Furthermore I
checked all the security updates my system released when we started
this discussion, and all of them have release notes that contain
information about security patches made by Debian. Only the security
updates have these infos. Is it an amazing coincidence? I suppose no.

Furthermore, you didn't answer my simple question: why does the
security update package contain metadata about Debian patches, if the
Ubuntu security team did not benefit from Debian security patches but
only from internal work? I suppose I have to answer myself: because
the patch applied by Ubuntu _is_ actually a Debian patch.

The more interesting fact is that I checked all the security updates
and it seems they are only applications of Debian patches. So it seems
that the work of the Ubuntu security team is only to apply Debian
security patches. If so, probably Debian is really more secure than
Ubuntu, since I don't know if all the security patches made by Debian
are applied.

On 2022-04-16 16:49:17 +0200, Marco Sulla wrote:
> Furthermore, you didn't answer my simple question: why does the
> security update package contain metadata about Debian patches, if the
> Ubuntu security team did not benefit from Debian security patches but
> only from internal work?

It DOES NOT contain metadata about Debian patches. You are
misinterpreting the name "debian". The directory has this name because
the tools (dpkg, quilt, etc.) were originally written by the Debian team
for the Debian distribution. Ubuntu uses the same tools. They didn't
bother to rename the directory (why should they?), so the directory is
still called "debian" on Ubuntu (and yes I know this because I've built
numerous .deb packages on Ubuntu systems).

For example, here is the patches directory of one of my own packages:

% ls -l debian/patches
total 24
-rw-r--r-- 1 hjp hjp 982 Sep 12 2017 makefile
-rw-r--r-- 1 hjp hjp 966 Sep 12 2017 makefile-all
-rw-r--r-- 1 hjp hjp 367 Jan 15 2021 makefile-checkmk.diff
-rw-r--r-- 1 hjp hjp 849 Dec 14 2017 makefile-check_cronwrapper
-rw-r--r-- 1 hjp hjp 1126 Sep 12 2017 makefile-mkdir
-rw-r--r-- 1 hjp hjp 86 Jan 15 2021 series

5 patches in the subdirectory debian/patches (the file "series" just
contains the list of patches in proper order). None of these patches was
written by Debian. They were all written by me. Yet they are all in a
subdirectory "debian/patches", because that's where they have to be for
the tools to find them (yes, this is on Ubuntu).

hp

--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | hjp@hjp.at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"

On Sat, 16 Apr 2022 at 17:14, Peter J. Holzer <hjp-python@hjp.at> wrote:
>
> On 2022-04-16 16:49:17 +0200, Marco Sulla wrote:
> > Furthermore, you didn't answer my simple question: why does the
> > security update package contain metadata about Debian patches, if the
> > Ubuntu security team did not benefit from Debian security patches but
> > only from internal work?
>
> It DOES NOT contain metadata about Debian patches. You are
> misinterpreting the name "debian". The directory has this name because
> the tools (dpkg, quilt, etc.) were originally written by the Debian team
> for the Debian distribution. Ubuntu uses the same tools. They didn't
> bother to rename the directory (why should they?), so the directory is
> still called "debian" on Ubuntu (and yes I know this because I've built
> numerous .deb packages on Ubuntu systems).

Ah ok, now I understand. Sorry for the confusion.