multiverse security implications

Asked by Acceptable Name

Why is multiverse enabled by default when applying security updates to multiverse packages is discretional?

If at the discretion of the Ubuntu security team a vulnerability may be ignored, some users may have installed packages that will be missing security updates. Putting a warning in /etc/apt/security.list may never be seen by some users.

The installation process for 22.04 desktop does not have any warnings about multiverse or controls to disable multiverse, it just gets enabled by default.

Some Ubuntu security hardening guides say to disable multiverse but they may never by some users.

If some or all of these conditions are true, there may be some liability issues.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu ubiquity Edit question
Assignee:
No assignee Edit question
Solved by:
Acceptable Name
Solved:
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said :
#1

1st. multi Universe Respiratory is an optional decision.
Going beyond the official base repository is taking a chance and not supported.
https://wiki.ubuntu.com/Base even with 22.04 LTS

https://help.ubuntu.com/community/Repositories/Ubuntu

Multiverse - Software restricted by copyright or legal issues.

Revision history for this message
Acceptable Name (metta-crawler) said :
#3

When I install ubuntu-22.04-desktop-amd64.iso the multiverse repository is enabled instantly with no ability to disable it during the GUI installation. I have to manually disable it. Why is multiverse enabled by default when applying security updates to multiverse packages is discretional?

Revision history for this message
Acceptable Name (metta-crawler) said :
#4

I think older versions of Ubuntu did not enable multiverse by default but that was changed and now ubuntu-22.04-desktop-amd64.iso comes with it enabled.

Revision history for this message
Bernard Stafford (bernard010) said (last edit ):
#5

https://help.ubuntu.com/community/Repositories/Ubuntu
Activities -> Software & Updates -> Select Ubuntu Software tab ->
Uncheck-mark the box Software restricted by copyright or legal issues (Multi universe)
solved

Revision history for this message
Manfred Hampl (m-hampl) said :
#6

In your question you refer to a file named "/etc/apt/security.list". I am not aware of such file and do not have it on my system.

If I remember correctly, there is the option to enable and disable the installation of proprietary drivers, see https://davesroboshack.com/wp-content/uploads/2020/02/07_third_party_select-1024x576.png

I am not sure whether this affects restricted or multiverse or both.

What exactly to you deem wrong?
Which action do you execute, what happens, and what do you expect to happen instead?

e.g. what contents do you have in /etc/apt/sources.list with respect to -updates and -security for multiverse after initial installation, and what do you expect it to be? Or, if you would like to have a more extensive security information in the installation dialogue, please make a proposal! Do you expect to have that "install proprietary drivers" option enabled or disabled when you start a new installation?

Please create concrete proposals instead of cryptic remarks "but they may never by some users."

Revision history for this message
Acceptable Name (metta-crawler) said :
#7

Reproducing steps:

1. Security issue is reported for a package in multiverse.
2. Ubuntu security team does not decide to update or patch it. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures where it says:
> The Ubuntu Security team also tracks issues in universe and multiverse and at their discretion may request a sync from Debian to solve vulnerabilities in packages in the current development release. Patches for flaws in packages from universe and multiverse for stable releases or for the development release when a sync from Debian is deemed too intrusive should be prepared by community members.
3. User install Ubuntu and because multiverse is enabled installs the package with a security flaw which the Ubuntu Security team did not decide to fix.
4. Security flaw in the package which lacks remediation is exploited.

Revision history for this message
Manfred Hampl (m-hampl) said :
#8

What do you suggest?
Any computer user has to be aware that there may be flaws in programs that can be exploited.

Revision history for this message
Acceptable Name (metta-crawler) said :
#9

I suggest that the Ubuntu installation software disable multiverse by default to avoid my stated reproducing steps. If someone wants to enable multiverse that is their risk, not a risk imposed by the ubuntu installation software.

Revision history for this message
Manfred Hampl (m-hampl) said :
#10

Such suggestions should be given in form of a bug report.

See also https://wiki.ubuntu.com/Ubiquity

Revision history for this message
Acceptable Name (metta-crawler) said :
#11

I started out with a question that nobody answered.

>Why is multiverse enabled by default when applying security updates to multiverse packages is discretional?