I don't care they're gating this behind a subscription but the fact that they won't even tell you that you're missing an important security update? That's bad. I wonder how many people think they are fully up to date while being vulnerable to known bugs.
They do tell you that you are missing now. On ubuntu 24.04, apt now reports/nags me about security updates behind esm-apps.
They also publish an oval xml for use with openscap tools to get a list of unpatched CVEs. The issue is not enough people know about those tools.
https://security-metadata.canonical.com/oval/
> I don't care they're gating this behind a subscription
I rather not have them push an ad to my face when I open the settings.
I had to install Ubuntu on an embedded board last week and the "Ubuntu Pro" ad is like a greyed out tab in the settings widget if I remember correctly. Worse than the Amazon ad they had some decade ago.
Most Ubuntu users don't know that Canonical only supports the main repository for free.
To my knowledge, only some comments hidden in /etc/apt/sources.list mention this, but the more honest approach would be to warn all users when they try to `apt install foo` some package from universe/multiverse. Or do it like RHEL with their EPEL repo and disable it by default.
But I guess they would have never gotten this popular if people saw that Ubuntu is only a few thousand packages compared to Debian's tens of thousands.
The updates in universe are definitely best effort.
We were paying for Ubuntu Pro through an AWS subscription on 2k EC2 instances, and could not get Canonical to update a package with a CVSS 7.8 in the 18.04 LTS.
If I was looking for a distro with paid support (a la RHEL/Ubuntu) that's also not incredibly behind bleeding edge (maybe not as bleeding edge as Arch, but also not running patched-to-hell-and-back software like Ubuntu), what are my options?
Thankfully I'm not personally looking for this at the moment, I'm more than happy being my own sysadmin and running anything from Arch to Fedora CoreOS to OpenSUSE on my machines.
afaik, your want of relatively fresh software with few patches excludes pretty much everything there is, except for really niche stuff. All other major options with good commercial support have been mentioned by siblings; I'll add Debian + Freexian to the list.
> ...what are my options?
> ...Maybe it is time to go back to Debian, as they seem to release these fixes to their users?
Curious if this would actually be a solution. They state that fixes in Debian are down-streamed regardless of support, so if this fix wasn't down-streamed, then why would it be in Debian ?
As for why it isn't in Ubuntu 22.04 - perhaps because the Ubuntu release schedule does not match debian's.
Debian buster was released in september 2022 - Ubuntu's April tagging is probably based off of the prior debian release which only gets critical updates.
I'd argue we wouldn't have Snap [for the better] if their LTS releases weren't visually bound to years... saving overhead they regularly create for cosmetic reasons.
Wouldn't have to create it to consolidate platforms if they stopped making them so often!
They have three concurrent LTS releases when they need one. Maybe two. 18.04 is the python2 of distributions. Let it go.
Having worked in several places that relied on it... ESM is being the bad kind of enabler.
Fedora handles "The Snap Problem" -- many target distributions -- with 'fedpkg' and 'mock'. Software and machines on the build side. Not by degrading the end user experience. They do participate with Flatpak... but that's peer pressure more than anything.
Flatpak is more well-rounded IMO. Probably from being the broader answer. Maybe this all doesn't make an argument. Just a bunch of statements. I don't know.
Back on topic: I wonder what all of this Canonical stuff in particular is for/leads to. New software isn't scary; 'just' plan/test. It becomes scary when you get lazy here... so accept your involvement.
Your free personal Ubuntu Pro subscription does in fact cover as many VMs and containers as you can run on up to five personal machines, as the OP well knows. I like that we make Ubuntu Pro, including universe updates, free for anyone running at small scale.
Thanks for the reply and the correction. I've updated the post to reflect this. I'm sure it will be helpful for others, as the UI doesn't reflect that these containers do not come out of the overall allocation. As you'll see in the screenshot I've added, it looks as if these are being counted as 8 physical machines against 5 tokens.
It's possible to fix anything from the sources but I guess the Tomcat version in 22.04 didn't have a corresponding stable Debian version? (vs. the 20.04 version)
Ubuntu is merely reusing apt to connect to its own repositories. You could manually install packages from Debian's repositories, but it's probably inadvisable.
captn3m0|1 year ago
At one point Ubuntu changed the EOL tables on their Wiki from 5 years to 10 with no explanation about applicability/ESM - just calling it LTS.
It is among the longest pages on our website.
frankjr|1 year ago
ElectricSpoon|1 year ago
They also publish an oval xml for use with openscap tools to get a list of unpatched CVEs. The issue is not enough people know about those tools. https://security-metadata.canonical.com/oval/
rightbyte|1 year ago
I rather not have them push an ad to my face when I open the settings.
I had to install Ubuntu on an embedded board last week and the "Ubuntu Pro" ad is like a greyed out tab in the settings widget if I remember correctly. Worse than the Amazon ad they had some decade ago.
hs86|1 year ago
To my knowledge, only some comments hidden in /etc/apt/sources.list mention this, but the more honest approach would be to warn all users when they try to `apt install foo` some package from universe/multiverse. Or do it like RHEL with their EPEL repo and disable it by default.
But I guess they would have never gotten this popular if people saw that Ubuntu is only a few thousand packages compared to Debian's tens of thousands.
n3storm|1 year ago
01HNNWZ0MV43FF|1 year ago
thinkst|1 year ago
We were paying for Ubuntu Pro through an AWS subscription on 2k EC2 instances, and could not get Canonical to update a package with a CVSS 7.8 in the 18.04 LTS.
We've moved off Ubuntu Pro as a result. Blogged it at https://blog.thinkst.com/2024/07/unobtrusively-upgrading-ubu...
arjvik|1 year ago
Thankfully I'm not personally looking for this at the moment, I'm more than happy being my own sysadmin and running anything from Arch to Fedora CoreOS to OpenSUSE on my machines.
brylie|1 year ago
https://www.suse.com/products/server/
ZhongXina|1 year ago
https://www.freexian.com
SSLy|1 year ago
frankjr|1 year ago
https://almalinux.org
BeefySwain|1 year ago
Curious if this would actually be a solution. They state that fixes in Debian are down-streamed regardless of support, so if this fix wasn't down-streamed, then why would it be in Debian ?
capitainenemo|1 year ago
As for why it isn't in Ubuntu 22.04 - perhaps because the Ubuntu release schedule does not match debian's. Debian buster was released in september 2022 - Ubuntu's April tagging is probably based off of the prior debian release which only gets critical updates.
bravetraveler|1 year ago
Wouldn't have to create it to consolidate platforms if they stopped making them so often!
They have three concurrent LTS releases when they need one. Maybe two. 18.04 is the python2 of distributions. Let it go.
Having worked in several places that relied on it... ESM is being the bad kind of enabler.
Fedora handles "The Snap Problem" -- many target distributions -- with 'fedpkg' and 'mock'. Software and machines on the build side. Not by degrading the end user experience. They do participate with Flatpak... but that's peer pressure more than anything.
Flatpak is more well-rounded IMO. Probably from being the broader answer. Maybe this all doesn't make an argument. Just a bunch of statements. I don't know.
Back on topic: I wonder what all of this Canonical stuff in particular is for/leads to. New software isn't scary; 'just' plan/test. It becomes scary when you get lazy here... so accept your involvement.
Dylan16807|1 year ago
> Having worked in several places that relied on it... ESM is being the bad kind of enabler.
The business proposition is 10 years of support with minimal package changes. Are you asking them to just stop selling that product?
Fewer LTS releases wouldn't change that core question, since if they never had a 2018 LTS release those users would be on the 2016 release instead.
markshuttle|1 year ago
greylumpydino|1 year ago
cosmin800|1 year ago
Suppafly|1 year ago
lmz|1 year ago
juujian|1 year ago
unknown|1 year ago
[deleted]