Comment 2 for bug 1462787

The attack scenario is as follows:
1. A user creates a new Ubuntu installation with debootstrap.
2. The user assumes that, because they're fetching all the packages online
from the server, they're getting the latest versions and don't need to
upgrade immediately.
3. The user is attacked via literally any of the security vulnerabilities
patched in the past up to 3.something years (e.g. Heartbleed).

On Friday, June 19, 2015, Marc Deslauriers <email address hidden>
wrote:

> Thanks for taking the time to report this bug and helping to make Ubuntu
> better. We appreciate the difficulties you are facing, but this appears
> to be a "regular" (non-security) bug. I have unmarked it as a security
> issue since this bug does not show evidence of allowing attackers to
> cross privilege boundaries nor directly cause loss of data/privacy.
> Please feel free to report any other bugs you may find.
>
> ** Information type changed from Public Security to Public
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1462787
>
> Title:
> Feature request: support for pulling packages from -security and
> -updates
>
> Status in debootstrap package in Ubuntu:
> New
>
> Bug description:
> It doesn't really make sense that when using debootstrap to create an
> Ubuntu <chroot|container|directory|installation|whatever>, old
> versions of packages will be installed, rather than the latest
> versions from the archives. The first thing that you'd need to do
> would be to immediately go and upgrade everything, which is just
> unnecessary duplication of downloading and installing. An Ubuntu
> installation (for example, Precise) created by the current version
> will be extremely insecure.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/debootstrap/+bug/1462787/+subscriptions
>