security sources.list needs fixing on upgrade

I'd like to provide some more information

1. Affected installs done offline would have left the systems configured to use archive.ubuntu.com rather than $CC.archive.ubuntu.com. The country-code is determined using a query to geoip.ubuntu.com. So no network means no country mirror. Moreover, Subiquity runs mirror testing against the country mirror and can automatically revert to the non-country alternative (i.e., archive.ubuntu.com) if it seems to work better.

2. The ubuntu-server installer allows the user to customize the URL that is used to access the $release and $release-updates pockets. Since the URL was mistakenly applied to the security pocket as well, it is possible (although uncommon) that some people have their system configured with arbitrary URLs for the security pocket. A similar configuration can only be achieved on ubuntu-desktop by means of autoinstall directives.

3. On ports architectures (e.g., arm64, s390x, riscv64, ...) the systems were previously expected to have ports.ubuntu.com/ubuntu-ports set for the -security pocket - but I didn't find an official statement.
Affected installs would likely show $CC.ports.ubuntu.com instead of ports.ubuntu.com for the -security pocket.

This bug was fixed in the package ubuntu-release-upgrader - 1:23.10.7

---------------
ubuntu-release-upgrader (1:23.10.7) mantic; urgency=medium

  * DistUpgradeQuirks: Use generic font temporarily at upgrade
    (LP: #2034986)
  * DistUpgradeQuirks: Switch snap channels instead of refresh
    (LP: #2036765)
  * DistUpgradeController: Ensure security archive is used for security pocket
    (LP: #2036679)
  * Run pre-build.sh: updating mirrors and demotions.

 -- Nick Rosbrook <email address hidden> Fri, 29 Sep 2023 14:44:34 -0400