Tell HN: Ubuntu Pro now required for security fixes, even for supported releases

68 points by josephcsible ↗ HN
Canonical now requires an Ubuntu Pro subscription to get security updates, even for Ubuntu releases that are still supported. On an Ubuntu 22.04 system that's not subscribed to Ubuntu Pro, the output of running "sudo apt dist-upgrade" includes this:

  The following security updates require Ubuntu Pro with 'esm-apps' enabled:
    libopenexr25 libmagickcore-6.q16-6-extra libmagickwand-6.q16-6
    libmagickcore-6.q16-6 imagemagick-6-common
  Learn more about Ubuntu Pro at https://ubuntu.com/pro

36 comments

[ 3.8 ms ] story [ 99.3 ms ] thread
Hmm. Doesn't do that for me. Is this something specific to imagemagick?
Not sure. A few things that might be causing the difference: 1. Make sure you're using apt and not apt-get 2. Make sure you have those packages installed 3. If you previously disabled the advertising for Ubuntu Pro, you won't see this warning, but you still won't get the updates
Ubuntu Pro covers Universe packages, which weren't previously covered by official security updates. All the packages in main still get the same security updates as before without requiring Ubuntu Pro.
I use another distro and not ubuntu. Are these security updates that are like in other repos other than the main repo?
Was just going to say, they're merely making more obvious a situation that has long existed. But most people don't bother checking if packages they depend on are part of `main` or `universe` so I can see how this comes as a shock to some.
Ubuntu makes this worse by using "end-of-life" dates as End-of-ESM at various pages[0,1]. If you read that page, you'll assume all packages will be supported till EOL for all users. This is all it says about ESM:

> Extended Security Maintenance (ESM) provides security updates on Ubuntu LTS releases for additional 5 years. It is available with the Ubuntu Advantage subscription or a Free subscription.

The Pro page[2], now has a clear graphic comparing the security coverage, but this appears to be new.

[0]: https://wiki.ubuntu.com/Releases

[1]: https://ubuntu.com/about/release-cycle

[2]: https://ubuntu.com/pro

Indeed. I see Ubuntu 20.04 imagemagick was updated with a security update in 2021 for free. Now, there is another update for imagemagick, but we have to pay for it.

The release cycle page (https://ubuntu.com/about/release-cycle) has no mention of any differences in updates for universe vs base packages.

The https://ubuntu.com/pro page says "best effort" for universe packages. Yet, they have an update for imagemagick, we just have to pay for the pro subscription to get it. How exactly is that "best effort"?

That doesn't really clarify things. It just says universe is supported by the community. Right now, we have an update for imagemagick, but we have to pay for it, whereas last year we had updates to imagemagick for free. How is that "best effort"? What they mean is, they are now putting more effort into universe, but you have to pay for the updates.

I don't mind having to pay for these updates if necessary. They should just be honest and transparent about what they are doing.

Looking into this further, I see that Ubuntu 20.04 has an identical version of imagemagick to that on Debian 10. This is a security update to imagemagick from 2020:

https://launchpad.net/debian/+source/imagemagick/8:6.9.10.23...

There are no later versions of imagemagick on ubuntu 10. So, my guess is that Ubuntu has (and will continue to) take any security updates that appear in the upstream Debian release, and add an Ubuntu Universe package for them. Now, I'm guessing, there will be additional security updates in the Universe package set for users paying for Ubuntu pro, where those packages are not available on Debian (i.e. Ubuntu themselves will package them).

If that's the case then there is nothing nefarious going on, just Canonical didn't explain it very well.

But are they now continuing to ship the known-vulnerable version in universe for new installs moving forward, but then notifying the user that an up-sell opportunity exists if they want the fixed version?
That's my impression.
There are lots of security updates in the source code for the packages. Major vulnerabilities will (presumably) have Debian package updates, and those should continue to be ported to Ubuntu. What will happen now is that Ubuntu themselves will sometimes port security updates to Ubuntu even when there is no community (debian) update upstream. At least, that is based on my own analysis (see my other comments).

So, I think this is just a new offering from Canonical, allowing us to pay for more minor security updates to the Universe packages. But they explained it very badly!

So, when did universe packages get updates without ubuntu pro? Did they only update the debs for feature updates, and withhold inbetween updates if they only had security changes? That seems insane. Or did regular ubuntu (without subscription) just never update the universe packages at all?

I had the impression that, if anything, the non-main-repo things got more frequent (minor) updates.

Usually security updates for repos on gentoo I remember (not sure about ubuntu) was up to the repo maintainer, who often recieved no support. That's the price a user pays for using a non-mainline repo. I assume it's the same.

I assume repo maintainers ship security updates if it's a shipped tarball from upstream. However, some security updates are just patches, which require manual work from the maintainer. That is the issue I think, it's not as simple as delivering what upstream already gave you.

I'd say that when maintaining a deb package for a stable distro like Ubuntu, it's much easier to apply a patch than import a whole new upstream release.
In the past, Universe packages only got security updates if a member of the Ubuntu community submitted a fix for sponsoring. The community can still do this, but additionally, Ubuntu Pro exists which also updates universe packages.
esm-apps is a separate repo for "Extended Security Maintenance". Maybe it will go to the free repos later?
should really update the title. This is either ignorance or clickbait...
No, it's not, you don't seem to have actually looked into what is happening here. See my other comment here.
> The following security updates require Ubuntu Pro with 'esm-apps' enabled:

ESM is only even a thing for EOL'd LTS releases, the title is wrong and misleading.

I think you're misunderstanding what is happening here. This is happening for non-EOLed releases. You'll see the message on Ubuntu 20.04 right now, and it has a few more years of normal support left. It's not in ESM yet.

I think it's another part of the confusion...Ubuntu seems to be lumping these updates in with ESM for some reason.

This is from right now:

Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-80-generic x86_64) root@server5:/home/ubuntu# apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following security updates require Ubuntu Pro with 'esm-apps' enabled: libmagickcore-6.q16-6-extra sntp imagemagick libzmq5 python2.7-minimal php-symfony-console libmagickwand-6.q16-6 python2.7 libzmq3-dev php-symfony-filesystem ntp php-symfony-finder imagemagick-6.q16 libopenexr24 libsdl2-2.0-0 libmysofa1 libmagickcore-6.q16-6 libpython2.7-minimal libpython2.7-stdlib composer php-symfony-process imagemagick-6-common

Those are universe packages (not in the main repo) that didn't even get security updates in the first place until now. Nobody has taken anything away that they were already getting.
No, that's not correct. ImageMagick in Ubuntu 20.04 has a security update from 2020, and it even says on the Ubuntu website that Universe packages do (and have always) had security updates from the community. What is different is that now you can pay to get more minor security updates in the Universe packages (ones that aren't available in the upstream Debian release). See my other comments here where I give more details about what is happening.
The older Ubuntu Advantage (now Ubuntu Pro infra-only) covered the main repository only. The universe repository was not covered in Ubuntu Advantage, but was covered in the new Ubuntu Pro subscription, which was in beta so far. Ubuntu Pro entered GA on 26th Jan[1], so now these apps (in universe repo) are only supported if you enable esm-apps, under a valid Ubuntu Pro. Prior to October, these apps wouldn't have been considered supported (as confirmed by running ubuntu-security-status)

You can get Ubuntu Pro for 5 personal machines for free. The change is overall a positive, since universe is now a supported repository in ESM.

Here's the relevant snippet from https://endoflife.date/ubuntu (Disclaimer: I maintain this page, feedback welcome):

> Ubuntu Pro offers security fixes for critical, high, and selected medium CVEs in the main and universe repositories. Ubuntu Pro (Infra-only) - previously known as Ubuntu Advantage - only guarantees security fixes for packages in the main repository - other packages are on a best-effort basis.

Note that Pro only covers this for limited architectures[2], so keep that in mind.

[1]: https://www.infoworld.com/article/3686569/canonical-security...

[2]: https://askubuntu.com/a/1452498

I don't think "best-effort basis" is true, now that Canonical is doing the work of patching all the vulnerabilities in them, and is just not releasing the patches outside of Pro.
There seems to be a lot of confusion about the length of support for 22.04 LTS. In the past it's always been safe to assume LTS is 5 years. But I've seen conflicting info about 22.04. For example:

https://kubuntu.org/getkubuntu/ "Kubuntu 22.04 supported with security and maintenance updates, until April 2025".

https://endoflife.date/ubuntu "Hardware and Maintenance Updates" "Ends in 1 year and 8 months (30 Sep 2024)" But the graphic you have right above that shows 22.04 "Hardware and maintenance updates" going into 2027.

https://wiki.ubuntu.com/Releases "End of Standard Support" "April 2027" At least the wiki still has the expected date, but it's hard to find anything specific on the main ubuntu.com site.

Anyone know what's going on with these dates?

It's 2027 for Ubuntu, but other variants only get 3 years of support[0]:

> Maintenance updates will be provided for 5 years until April 2027 386 for Ubuntu Desktop, Ubuntu Server, Ubuntu Cloud, and Ubuntu Core. All the remaining flavours will be supported for 3 years. Additional security support is available with ESM (Extended Security Maintenance).

The graphic (from the official website)[1] is slightly misleading because it doesn't differentiate between "Hardware & Maintenance Updates" and "Maintenance Updates". The source for these [2] marks these as 2 separate dates. The undocumented policy seems to be "hardware+Maintenance updates for 2 years", and "maintenance updates for another 3". Ubuntu doesn't seem to document what's the difference between these.

I'd reported this to Ubuntu a few years ago[3], but it wasn't deemed confusing. It's not helpful that Ubuntu website changed the definition of EOL from "end-of-unpaid-LTS-support to end of ESM. in the wiki[4] to make it appear like older releases are still supported.

[0]: https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes...

[1]: https://ubuntu.com/about/release-cycle

[2]: https://github.com/canonical/ubuntu.com/blob/main/static/js/...

[3]: https://github.com/canonical/ubuntu.com/issues/8725

[4]: https://github.com/canonical/ubuntu.com/issues/8725#issuecom...

Thanks for trying to help clear that up a little. Of course they are wrong about it not being confusing.

Any guesses what changes between the first 2 years and the next 3? What are these "Hardware Updates" they seem to stop doing?

Regarding the different flavors, as far as I know they fetch updates from the main Ubuntu repos, so any Ubuntu updates should be available to them. What does it mean to say they are only supported for 3 years?

I saw this last week, and removed imagemagick. I don't use it, and it likely came in as an experiment while working fast. At least they're telling me "You have an insecure thing." and I can take action against that.
I just went to run some updates on my work machine and it's telling me its installing an ubuntu-advantage-desktop-daemon.

I am not a fan.

Click bait. It's sad that people use and complain without understanding
why is this post marked as "flagged"?

I've just posted the same