Tell HN: Ubuntu Pro now required for security fixes, even for supported releases
Canonical now requires an Ubuntu Pro subscription to get security updates, even for Ubuntu releases that are still supported. On an Ubuntu 22.04 system that's not subscribed to Ubuntu Pro, the output of running "sudo apt dist-upgrade" includes this:
The following security updates require Ubuntu Pro with 'esm-apps' enabled:
libopenexr25 libmagickcore-6.q16-6-extra libmagickwand-6.q16-6
libmagickcore-6.q16-6 imagemagick-6-common
Learn more about Ubuntu Pro at https://ubuntu.com/pro
36 comments
[ 3.8 ms ] story [ 99.3 ms ] thread> Extended Security Maintenance (ESM) provides security updates on Ubuntu LTS releases for additional 5 years. It is available with the Ubuntu Advantage subscription or a Free subscription.
The Pro page[2], now has a clear graphic comparing the security coverage, but this appears to be new.
[0]: https://wiki.ubuntu.com/Releases
[1]: https://ubuntu.com/about/release-cycle
[2]: https://ubuntu.com/pro
The release cycle page (https://ubuntu.com/about/release-cycle) has no mention of any differences in updates for universe vs base packages.
The https://ubuntu.com/pro page says "best effort" for universe packages. Yet, they have an update for imagemagick, we just have to pay for the pro subscription to get it. How exactly is that "best effort"?
I don't mind having to pay for these updates if necessary. They should just be honest and transparent about what they are doing.
https://launchpad.net/debian/+source/imagemagick/8:6.9.10.23...
There are no later versions of imagemagick on ubuntu 10. So, my guess is that Ubuntu has (and will continue to) take any security updates that appear in the upstream Debian release, and add an Ubuntu Universe package for them. Now, I'm guessing, there will be additional security updates in the Universe package set for users paying for Ubuntu pro, where those packages are not available on Debian (i.e. Ubuntu themselves will package them).
If that's the case then there is nothing nefarious going on, just Canonical didn't explain it very well.
So, I think this is just a new offering from Canonical, allowing us to pay for more minor security updates to the Universe packages. But they explained it very badly!
I had the impression that, if anything, the non-main-repo things got more frequent (minor) updates.
I assume repo maintainers ship security updates if it's a shipped tarball from upstream. However, some security updates are just patches, which require manual work from the maintainer. That is the issue I think, it's not as simple as delivering what upstream already gave you.
ESM is only even a thing for EOL'd LTS releases, the title is wrong and misleading.
I think it's another part of the confusion...Ubuntu seems to be lumping these updates in with ESM for some reason.
This is from right now:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-80-generic x86_64) root@server5:/home/ubuntu# apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following security updates require Ubuntu Pro with 'esm-apps' enabled: libmagickcore-6.q16-6-extra sntp imagemagick libzmq5 python2.7-minimal php-symfony-console libmagickwand-6.q16-6 python2.7 libzmq3-dev php-symfony-filesystem ntp php-symfony-finder imagemagick-6.q16 libopenexr24 libsdl2-2.0-0 libmysofa1 libmagickcore-6.q16-6 libpython2.7-minimal libpython2.7-stdlib composer php-symfony-process imagemagick-6-common
You can get Ubuntu Pro for 5 personal machines for free. The change is overall a positive, since universe is now a supported repository in ESM.
Here's the relevant snippet from https://endoflife.date/ubuntu (Disclaimer: I maintain this page, feedback welcome):
> Ubuntu Pro offers security fixes for critical, high, and selected medium CVEs in the main and universe repositories. Ubuntu Pro (Infra-only) - previously known as Ubuntu Advantage - only guarantees security fixes for packages in the main repository - other packages are on a best-effort basis.
Note that Pro only covers this for limited architectures[2], so keep that in mind.
[1]: https://www.infoworld.com/article/3686569/canonical-security...
[2]: https://askubuntu.com/a/1452498
Edit: Filed https://github.com/endoflife-date/endoflife.date/issues/2414
https://kubuntu.org/getkubuntu/ "Kubuntu 22.04 supported with security and maintenance updates, until April 2025".
https://endoflife.date/ubuntu "Hardware and Maintenance Updates" "Ends in 1 year and 8 months (30 Sep 2024)" But the graphic you have right above that shows 22.04 "Hardware and maintenance updates" going into 2027.
https://wiki.ubuntu.com/Releases "End of Standard Support" "April 2027" At least the wiki still has the expected date, but it's hard to find anything specific on the main ubuntu.com site.
Anyone know what's going on with these dates?
> Maintenance updates will be provided for 5 years until April 2027 386 for Ubuntu Desktop, Ubuntu Server, Ubuntu Cloud, and Ubuntu Core. All the remaining flavours will be supported for 3 years. Additional security support is available with ESM (Extended Security Maintenance).
The graphic (from the official website)[1] is slightly misleading because it doesn't differentiate between "Hardware & Maintenance Updates" and "Maintenance Updates". The source for these [2] marks these as 2 separate dates. The undocumented policy seems to be "hardware+Maintenance updates for 2 years", and "maintenance updates for another 3". Ubuntu doesn't seem to document what's the difference between these.
I'd reported this to Ubuntu a few years ago[3], but it wasn't deemed confusing. It's not helpful that Ubuntu website changed the definition of EOL from "end-of-unpaid-LTS-support to end of ESM. in the wiki[4] to make it appear like older releases are still supported.
[0]: https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes...
[1]: https://ubuntu.com/about/release-cycle
[2]: https://github.com/canonical/ubuntu.com/blob/main/static/js/...
[3]: https://github.com/canonical/ubuntu.com/issues/8725
[4]: https://github.com/canonical/ubuntu.com/issues/8725#issuecom...
Any guesses what changes between the first 2 years and the next 3? What are these "Hardware Updates" they seem to stop doing?
Regarding the different flavors, as far as I know they fetch updates from the main Ubuntu repos, so any Ubuntu updates should be available to them. What does it mean to say they are only supported for 3 years?
I am not a fan.
I've just posted the same