[04:20] <Press_F1_For> Hello, I have a question about the different versions of Ubuntu. In general which version of Ubuntu is more secure, the latest LTS or the latest non-LTS?
[04:24] <Press_F1_For> One thing that seems rather concerning is how the latest non-LTS version has an EOL kernel. Obviously it's not too hard to update the kernel manually, but I don't think that bodes well for the rest of the non-LTS repository, are there other important packages in the repo that aren't getting security patches?
[04:26] <guiverc[m]> Ubuntu will backport security fixes to the supported kernels of all supported releases. The 5.19 kernel for example used by 22.10, is the next HWE kernel of 22.04.2 (ie. it'll be the LTS kernel for ~5-6 months), so patching for 22.10 will also be applied to 22.04 if using the HWE kernel stack.
[04:26] <guiverc[m]> @Press_F1_For: ^
[04:27] <guiverc[m]> The Ubuntu Security team treat all [supported releases] equally in my experience  (Note: I'm a user with no special knowledge in this area)
[04:32] <Press_F1_For> Hmm I'm a little confused. Are you saying they port patches for Kernel 5.4 LTS to the 5.19 kernel used by Ubuntu 22.10? Or are you saying the kernel being used by 22.10 is actually "5.4 but with patches to support newer hardware"?
[04:34] <guiverc[m]> 5.4 is the kernel GA kernel of 20.04 & last HWE kernel of 18.04, and isn't a kernel stack option of 22.04.   Ubuntu 22.04 LTS released with the 5.15 kernel as the GA option; HWE upgrades to use the 5.19 from 22.10 at 22.04.2, kernel from 23.04 (22.04.3), kernel from 23.10 (22.04.4) before finally settling with the GA kernel from 24.04 at 22.04.5 just like prior LTS systems if HWE is selected/used.
[04:35] <guiverc[m]> See https://wiki.ubuntu.com/Kernel/LTSEnablementStack for some details on GA & esp. Hardware Enablement kernel stack..
[04:38] <Press_F1_For> So the main point is, even though Kernel 5.19 is EOL it's being patched by Canonical until Ubuntu 22.10 is EOL? Is that correct?
[04:56] <guiverc[m]> Yep (or whichever is last using it; 22.04 should have moved to 23.04's kernel before 22.10's last (EOL) day making 22.10 the last using 5.19, ... but if 22.04 hadn't moved to 23.04's kernel for all architectures; it'll be until 22.04's moved to the newer kernel...)
[04:57] <guiverc[m]> (my ^ is an unlikely scenario, but its happened before; recent cycle too if I'm recalling things correctly)
[04:58] <guiverc[m]> If you want to explore specific CVE's, you've found https://people.canonical.com/~ubuntu-security/cve/ ?
[17:03] <hallyn> hey sarnold - I'm trying and failing to think of a good place to note this, but shadow package will need to start build-depending on libbsd-dev as well.   Hm, if we had actual git being used for the packaging, then I coud just queue it up now...
[18:12] <ahasenack> https://code.launchpad.net/ubuntu/+source/shadow ?
[18:13] <ahasenack> but not stage the upload, just put up an MP against it
[18:13] <ahasenack> the *-devel branches are always tip
[19:09] <sarnold> hallyn: hey :) it looks to me a bit like balint is using salsa for shadow packaging? https://qa.debian.org/cgi-bin/vcswatch?package=shadow
[19:11] <hallyn> nice, thanks - maybe i can get an account to do a prthere
[19:11] <hallyn> pr there
[19:31] <sarnold> "here's a pr to fix an upcoming build failure" :)
[19:57] <teward> *merges sarnold with the latest build toolchain and it just hard errors out the wazoo*
[19:57] <teward> :p
[19:57] <sarnold> --force=ignore-errors
[19:58] <teward> *builds but now just segfaults on every run*
[19:58] <teward> :P
[19:58] <teward> aaaaaaaanyways *goes back to the abyss*