A free Ubuntu Pro plan for everyone to get 10 years of security updates […]
The main advantage of Ubuntu Pro over the standard distribution, are the constant security patches.
[…]
security patching (coverage for both critical , high and selected medium CVEs)
Over 2,300 packages in Ubuntu Main repository: 10 years updates
Over 23,000 packages in Ubuntu Universe repository: 10 years updates
In the meantime I got hold of ubuntu pro and now my status is:
sudo ua status
SERVICE ENTITLED STATUS DESCRIPTION
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
livepatch yes disabled Canonical Livepatch service
usg yes disabled Security compliance and audit tools
Enable services with: pro enable <service>
Account: [my account]
Subscription: Ubuntu Pro - free personal subscription
Note: I disabled livepatch.
That looks good so far.
My question now is:
As esm-infra is active, do I get 10 years of updates now for Ubuntu Main repository and Ubuntu Universe repository on my system
I would have to do a fresh install next April as my current system is Lubuntu 20.04.5 LTS.
But if I get the extended updates, could I safely run my system even longer
Yes you’ll get 10 years of support for the packages from ‘main’ though I’ll suggest you need to check which packages are included when the five years is up.
eg. with 16.04 ESM, not all packages were supported via the initial deb packages, some received support when converted to snap format. Whether or not this applies with 20.04, we’ll have to wait and see.
‘universe’ or community supported packages are not all included; haven’t been in the past, and I’ve seen no indication in any press of what they are. Whilst your 23,000 from universe sounds impressive, that’s still only a portion of what’s found in ‘universe’. I have seen mention of selected, but not what packages are included in this covered selected list; I’ve assumed like it was with 12.04, 14.04, 16.04; that we’ll see this once the release approaches EOSS (end of standard support) where 18.04 is approaching.
Lubuntu 20.04 LTS has three years of support; as the LXQt packages come from ‘universe’ and five years applies to ‘main’ packages (though it’s still possible for any MOTU to apply fixes during the five years for packages found in ‘universe’).
Yes, indeed ubuntu-security-status still tells me support is available until 4/2025.
That´s for “main” I guess.
ubuntu-security-status
2794 packages installed, of which:
1797 receive package updates with LTS until 4/2025
2 packages are from third parties
2 packages are no longer available for download
[...]
I see. Thanks.
O.K. I think I get it. Surely I was getting carried away by the impressive number of packages supported.
I see. And all of the LXQt packages are not - or at least not neccessarily - covered by the extended ubuntu pro plan… if I understand correctly.
Well, seems I have to do a fresh install next April after all.
But good to know how things work in the background.
The Ubuntu Pro plan covers only security patches. Whether a fix is related to security is not always clear.
That Canonical is delivering security patches for LTS releases for 10 years is
surprising
unclear which packages of “universe” are part of this initiative?
What does it mean to deliver security patches for several LTS versions for 10 years?
It means Canonical has a lot of (paid and unpaid) packagers, which are able to create patches, that only contain the security fix. Then there are a lot of testers, which are testing and reviewing the patches. And Canonical must also have a lot of security experts (they cost a lot and they are hard to find on the market [but if Canonical has a lot of them, then it is clear, why all the other companies have problems to find security experts]).
For Canonical as a company it makes sense to deliver 10 years of security patches to paying customers. But only for enterprise customers that are using wide-spread server applications (e.g. mariadb). It does not make sense for “private users” which are using the desktop version at home.
What does it mean for Lubuntu?
Lubuntu is a small project who is delivering the LXQt packages to the Ubuntu world. Because it is a small team, Lubuntu supports the delivered packages for 3 years for LTS versions.
The upstream LXQt project is unfortunately not a good upstream for stable releases (some of the LXQt project members do not seem to know what “stable release” means). They are sporadically releasing a new release. And when a new LXQt upstream release is there, the previous release is now “old” and unmaintained. If you have a problem in your “old” release, they sometimes help you to find the problem, sometimes they don’t. But they never release a fixed “old” release. That makes the life of Lubuntu a lot harder.
Let’s assume LXQt is releasing (fictive) version 3.5.6.1 with “a critical security fix in libfm-qt” in the year 2026, written for (let’s say) Qt7. Let’s further assume one of the Canonical “Ubuntu Pro” employees hears about that. It would then require, that one or more employees of Canonical are reviewing the fixed version to understand the security problem and how it is fixed (and in reality security experts would further inspect the code to better understand, whether the error was really fixed or more “workarounded”).
If everything looks correct and worth to deliver a security patch for libfm-qt, the real fun starts:
Canonical has to extract the security fix. Then Canonical has to check the code of libfm-qt in version 0.14.1 with the used Qt5 version. And the patches need to be tested…
I have some doubts, that LXQt patches are part of the “Ubuntu Pro” plan.
Not sure if someone already pointed this out or not, but esm-infra is only the Main packages. You have to enable esm-apps as well if you want updates in Universe packages. You enable those by running sudo pro enable esm-apps --beta.