💾 Archived View for 9til.de › lobsters › h2dszz.gmi captured on 2023-11-14 at 07:45:53. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
.----------------. | .--------------. | | | _____ | | | | |_ _| | | | | | | | | | | | | _ | | | | _| |__/ | | | | | |________| | | | | | | | '--------------' | '----------------'
Viewing comments for "Yes, Ubuntu Is Withholding Security Patches for Some Software"
---
mort commented [7]:
I have noticed this too. Anyone who's using Ubuntu Server
LTS without Ubuntu Pro probably has a whole bunch of known
insecure software on their system, with security fixes
available, provided by Canonical .. but Canonical won't give
them to you until you pay up.
I get that Canonical needs some way of making people pay.
But "You can use our server OS for free, but you need to
pay for security updates (and we won't really indicate that
until long after you've installed the OS)" is more slimy
than even Microsoft could've come up with. "Your system
is insecure, pay us to fix it" is the behavior I expect
from antivirus scams, not from allegedly serious server
OS vendors.
And yes, this only applies to Universe packages. That
makes no difference when a whole bunch of vital (often
network-facing) libraries, such as the ffmpeg libraries or
imagemagick, are provided as universe packages.
> david_chisnall commented [6]:
I would like to thank Canonical for providing enterprise
users with another incentive to try FreeBSD.
> sjamaan commented [3]:
If they're really doing this and withholding essential
security updates, I don't quite see the point of the LTS
releases, from a user's perspective, if they're insecure.
From Canonical's point of view, why not just ask money for
LTS? For instance, say all releases are supported until
there are one or two newer versions (a la Debian), and any
support beyond that costs money. That would make a lot more
sense and probably piss off almost nobody.
> gerikson commented [1]:
As a user of Ubuntu LTS, it behooves you to know the
difference between packages in the Main and Universe package
collection.
If you rely on packages from Universe to run your server,
you will have to make the decision to either pay for
Ubuntu Pro and let Canonical take care of applying security
patches, or handle that yourself by building from source.
Or use another distribution with better and/or cheaper
handling of LTS editions of the GNU/Linux system.
> sjamaan commented [1]:
Once you enable a package collection, it's not always
obvious where a package is coming from. And tracking
vulnerabilities manually for all packages you are using is
not really feasible for most(?) users, and then verifying
the vulnerable packages are coming from Universe rather than
main and rebuilding it even less.
At least they're emitting a warning so you know you should
probably start paying for Pro or upgrade. But it definitely
muddies the waters and makes it harder to draw a clear line
between "supported" and "unsupported". That's why I think
it'd make more sense to just ask money for everything in the
LTS beyond a number of years.
> gerikson commented [1]:
This is definitely true. I tried to find out what packages
I had installed that were from the Universe repo and it
was a bit involved (ironically, it required a package from
Universe: aptitude).
> sjamaan commented [1]:
Once you enable a package collection, it's not always
obvious where a package is coming from. And tracking
vulnerabilities manually for all packages you are using is
not really feasible for most(?) users, and then verifying
the vulnerable packages are coming from Universe rather than
main and rebuilding it even less.
At least they're emitting a warning so you know you should
probably start paying for Pro or upgrade. But it definitely
muddies the waters and makes it harder to draw a clear line
between "supported" and "unsupported". That's why I think
it'd make more sense to just ask money for everything in the
LTS beyond a number of years.
> Marius commented [2]:
But "You can use our server OS for free, but you need to
pay for security updates (and we won't really indicate that
until long after you've installed the OS)" is more slimy
Isn't this just a sales tactic though ? I mean the Ubuntu
server page states :
"Ubuntu Pro subscriptions expands security maintenance to
over 30,000 packages for 10 years and provides optional,
enteprise-grade phone and ticket support by Canonical."
They are not hiding this, no company (that i know of)
offers support for LTS versions of their software (for 10
years !!) for free.
> mort commented [3]:
The thing is, this isn't "you have to pay to get extended
support". This is "you have to pay to get security updates
for the current version of the OS". It's not like I'm using
Ubuntu 16.04 here; if you go to the Ubuntu Server download
page right now, you'll be told to get 22.04, since that's
the current main version.
Of course, you could get Ubuntu 23.10, but Canonical clearly
views the LTS as the "main" version, to the point that
the interim Ubuntu releases are treated as more or less
experimental versions to get software ready to get into
the next LTS. Even huge bugs, such as "all users with will
have their system bricked until they enter a TTY and edit /
etc/gdm3.conf manually" or " segfaults at launch", aren't
enough to hold back an interim release. Canonical could not
be more clear in their communication that people who expect
reliability should be on the LTS versions, not upgrade to
the interim versions.
Basic security updates for the current main release of the
OS should not be a paid feature. Either the whole OS should
be paid, or security updates should be provided to free
users until there is a new version to upgrade to.
> Marius commented [1]:
Basic security updates for the current main release of the
OS should not be a paid feature.
This is the reason i said a "sales tactic". You are thinking
about Ubuntu Server as the full featured OS. But, without
Ubuntu Pro, it's simply a demo which cannot be updated ..
RHEL and Windows Server (for example) allows you to "try"
the full version for 60/90 days and then it stops working.
Ubuntu Server works "forever" but without updates ...
It's just a different attempt to let you evaluate and then
buy their stuff ..
> x64k commented [2]:
The same page that says that about Ubuntu Pro at the bottom
also has this to say at the top:
Fast fixes
No system is 100% secure and vulnerabilities will always
arise. What matters is the speed and success with which
they are resolved -- and nobody makes fixes available faster
than Canonical.
10 years of support
A new LTS (Long Term Support) version of Ubuntu is released
every two years, for desktop and server. Both versions
receive updates and are supported for ten years.
Expanded security
Canonical offers Expanded Security Maintenance (ESM)
for infrastructure and applications to provide kernel
livepatches and vulnerability fixes through a secure and
private archive.
(emphasis mine)
Neither the "fast fixes" nor the "10 years of support"
points are qualified with "only for some packages", and
the page doesn't explain that ESM actually applies only
to paying customers. ESM is listed as one of the perks of
Ubuntu, not Ubuntu Pro.
Where I'm from we call those cruise scams, because a long
time ago (the practice was outlawed at some point) river
cruise sellers would advertise pretty cheap all-day river
cruises with an open buffet and a nice dinner, but once
you were on board, you found out none of those things were
included in the base price and were in fact exorbitantly
expensive. Unless you were a good swimmer, you either paid
like 20x the base price of the cruise or went for a day
without food or water.
They might actually be hiding it, that's why the wording in
the "Ubuntu Pro" list at the bottom uses slightly different
wording ("expands security maintenance" vs. "Expanded
Security Maintenance (ESM)"). I no longer recall the details
but I pointed this out to a customar who was evaluating
Ubuntu Server for their infrastructure and thought he'd
nailed his budget because they offered 10 years of updates
for free. The folks in their legal team were convinced
the slightly different word choice was deliberate, as
it would've otherwise veered dangerously close to false
advertising in the legal sense.
Edit: FWIW, this isn't exactly news. Every once in a while
someone finds out and the Interwebs go up in arms about it
but this is just how product offerings are obfuscated in
general. If anyone thinks this is bad, oh boy, you're gonna
love talking to Oracle's salespeople.
> gerikson commented [1]:
Is this something that's for newer LTS releases? I don't
get any warnings when running apt upgrade on my VPS running
20.04.6 LTS.
Edit I get the nag screen from the .today screen.
That said I don't have any packages from Universe that have
updates, apparently.
> clemherreman commented [1]:
I am missing something in that blog post. Universes packages
are "[ ..] overseen by community maintainers rather than by
Canonical directly". Does this mean that the delta between
patched, Ubuntu-pro packages could be filled by those same
community managers ?
If so, I fail to see how Canonical is "withholding security
patches". I feels like they are just picking, applying &
testing security patches for paying customers.
> mort commented [2]:
I don't know, and frankly, I don't care. I know that any
time I upgrade my system (running the current main version
of Ubuntu, 22.04, the version you're told to download on
the download page), Canonical tells me that my system is
insecure, that they have security fixes available, but that
I need to pay an additional fee to get those security fixes.
That in itself is what leaves a bad taste in my mouth, which
exact official Canonical repository the packages are coming
from doesn't really matter.
> gerikson commented [1]:
You only need to pay for the security fixes if you want
to get them from Canonical. Nothing is stopping you from
getting the sources and compiling them yourself.
> jzb commented [1]:
Two thoughts: one - if not this, exactly what method do
you suggest that Canonical employ to get people to pay for
Ubuntu?
Everyone wants LTS and security updates and solid server and
desktop Linux distributions. Few people or companies seem
willing to pay.
Second thought: my beef with this isn't what they're doing
so much as the fact that Shuttleworth used to call Red Hat
proprietary and so forth for its subscription model and now
they're doing basically the same thing.
> mort commented [3]:
Frankly, I don't care how they do it. They could charge for
Ubuntu Server. They could market the gratis version as a
"free trial". Or maybe it would be enough to only provide
free support for an Ubuntu LTS release until the next LTS,
and charge (or require Ubuntu Pro) for support after that.
There's a lot of different options.
The thing they should not be doing is marketing Ubuntu
Server LTS as a serious gratis server distribution and then
start charging for security updates before the next version
is available.
af commented [1]:
Rocky Ubuntu incoming.
> jzb commented [3]:
LOL nope. Nobody wants to clone Ubuntu in that way. It
doesn't have anything like RHEL's commercial ecosystem. Plus
the nice thing about rebuilding RHEL is that it's a limited
set of software. Like 3,000 packages?
Ubuntu Universe repo is many times that. If that's what you
want, just use Debian.
---
Served by Pollux Gemini Server.