Yeah but such big distros like Debian and openSUSE don’t hesitate to support it, huh?
And how much of those unsupported packages turned out to be security related???
Yes, I see it. But you are looking at Ubuntu, which is not Lubuntu. Lubuntu is based on Ubuntu, but uses a different desktop environment. All the needed packages for the desktop environment are unsupported now.
The packages of the “desktop Ubuntu” are in the main repository and are maintained during 5 years.
The packages of Lubuntu are in the universe repository and are supported 3 years, because the Lubuntu team is small.
Answer to that before going to LXDE vs/and LXQt
ok, you now going off-topic. Here the point was about unsupported security packages, which are same as in UBUNTU.
LUBUNTU team doesn’t make up it’s own security packages, is it?
You have two “good” options: Either change the distribution to get further bug and security updates or start packaging yourself.
The amount is not important. An attacker usually needs only one vulnerability to exploit the system.
On a first glance lxpolkit comes to mind which is security related. But there are surely others.
And please keep in mind, that the Lubuntu team is not doing security audits. The team was just packaging LXDE and is now packaging LXQt for supported releases.
What do you think, who is packaging the packages for Lubuntu?
The process for security related packages is slightly different. But the work is usually done by the team itself.
As I said before, please inform yourself.
3 Likes
here is your lxpolkit, and it comes from lxde
any other packages ? only one as example?
Don’t exaggerate please. All you do is you putting lxde on top of ubuntu and make sure that everything is smooth and to the point.
You don’t make up security packages
I love my wallpapers, so on my actual box there are many packages that contain nothing but wallpapers; and the security risks for those I consider nil/moot.
If you actually noticed - I use a box of my own; meaning I still have and use a Lubuntu 18.04 LTS box (which is unsupported here); I’ve talked about it numerous times on this site (usually in response to 18.04’s EOL). The box is i386 (pentium M) so my option is a non-Ubuntu (which would be Debian for me).
My whole point was to make people consider the risk, and make a decision themselves. Also to alert them, to the fact that they’re now off-topic with LXDE questions here, so support options have reduced (other sites too).
I tested both Lubuntu 18.10 & Lubuntu 19.04 (alpha ISOs before the i386 was dropped) on single-core pentium M, and pentium 4 boxes and contrasted the speed with the Lubuntu 18.04.
Yes LXDE is fast if you’re talking about the desktop itself, but it’s GTK2 and given so few apps these days are GTK2, the light on resources tends to get lost/wasted if you any modern GTK3 or Qt5 app. This gives the LXQt a huge advantage, and made Lubuntu 18.10 & 19.04 about equal in my testing using really old & limited resource pentium M/D/4 processors (with 1GB, or 1.5GB ram).
LXQt was about equal to LXDE with GTK3 apps; but LXQt did better with Qt5 apps (though most Qt5 apps tend to also need KF5 that means some lightness is lost). All this is very subjective… (and performance differs on different CPUs; modern CPUs handle GTK3 far better than the old pentium 4/m do).
Yes the LXDE desktop is real light, but its using deprecated libraries so if you’ve a limited resource machine, it’s not actually saving you any RAM in my opinion… and this is testing on devices with only 1GB of RAM.
1 Like
What does that prove and how does that help? If you look at the editors of the page you’ll actually see my username there; I’m aware of the document (as all Lubuntu people will be too).
Parts of Ubuntu 18.04 LTS are covered for the full five years (all packages found in main, restricted…) but that does not include universe.
Ubuntu provides tools so users can confirm that, the ubuntu-support-status I’ve alluded to many times.
End of Life includes ESM or extended security maintenance which again includes only certain packages.
Lubuntu 18.04 is not covered in that document.
If you look at Ubuntu Fridge | Ubuntu 18.04.5 LTS released
Maintenance updates will be provided for 5 years for Ubuntu Desktop, Ubuntu Server, Ubuntu Cloud, and Ubuntu Base. All the remaining flavours will be supported for 3 years.
Lubuntu is one of the flavours that had 3 years of support (not the five).
If you don’t believe the page I’ve just provided (because it’s got my name on it; I’m in the Ubuntu News team too) you can jump to the end where you’ll see the official release link from the Ubuntu Release Team.
2 Likes
This statement is based that whatever comes from Lubuntu team is for 3 years. And whatever comes from Ubuntu is for 5 years, and this whatever from Ubuntu include security packages.
Again you referring to
I have executed it on a fresh 64 bit install. Point at those ‘not all security packages’ please.
I agree you don’t support Lubuntu LXDE environment and that was your 3 year support, but Ubuntu didn’t canceled it’s 5 year support.
You see, you didn’t even changed Distro name on grub menu, it reads ‘Ubuntu’!
My point here is that you misinterpreting ubuntu-support-status command and concluding by saying that using lubuntu 18.04.5 is not secure. So I want to deliver you a message, don’t exaggerate, don’t misinterpret. There maybe some users who love using Lubuntu, but backed off by you statements.
All packages found in ‘universe’ came with 3 years of support, which is over. If security flaws are discovered upstream, you can of course backport the patches yourself & recompile programs.
Every package in the Ubuntu repository has a certain level of security… the highest level are those in the ‘main’ repository. ‘universe’ has less, but all get reviewed and require SRU’s to change post-release time. Of course some packages get more attention (glibc of course takes a lot more time to review than say a package containing just wallpapers), but security applies to all packages.
If you want packages without any security checks, those are found in PPAs. You’re not understanding what @apt-ghetto was trying to say about security being involved in everything Ubuntu supplies.
We all have our own needs; and levels of security we need or are willing to live with. Yes ubuntu-support-status was deemed to be less than clear, which is why it’s not used in current releases (it was replaced with ubuntu-security-status).
Yes you can run GTK3 (which is Unity, GNOME Shell, etc) apps, but LXDE is no longer lean and efficient with those, as you have two libraries that do the same thing in RAM at the same time, the GTK2 libs for the desktop, and GTK3 libs needed for the programs. In this circumstance LXDE is not lighter than a GTK3 desktop, which was my whole point (though I’d opt for XFCE myself rather than Unity 7 or GNOME Shell)
LXDE is best (fastest and lightest) when used with GTK2 apps… it’s advantages mostly lost with GTK3 or Qt5 apps. Yes GTK2 apps exist (hexchat for example; gimp in 18.04), but they are few.
2 Likes
Ok, thank you for your long reply. I have read it…
Ok, I see, that you still have no clue about the packaging workflow and the different repositories. And with your lack of knowledge about security in general, it does not make sense for me to continue the discussion with you.
Just a summary of what I tried to explain:
- The support for LXDE in 18.04 has ended
- Lubuntu is not lying about this fact
- Lubuntu is not providing any bug fixes or security fixes for LXDE any longer
- Whoever wants to use LXDE, must switch to another distribution, where LXDE is still supported
- You are responsible for your system and you are also responsible for all consequences that result from using an unsupported system
3 Likes
Just a follow up … Debian Bullseye or Debian 11 also runs on my old pentium M x86 hardware…
(I won’t test it on the pentium 4 box; it didn’t turn on and I’m not going to explore/fix that, and I have no intention of trying the older celeron x86 where Lubuntu bionic outperformed all others; I kept those only for i386 testing with Lubuntu of which there is no need).
3 Likes