Ubuntu Security Updates Are a Confusing Mess

I maintain https://endoflife.date/ubuntu. Ubuntu security policies are indeed a hot mess, and opaquely documented on their own website. I use it as an example of how not to document your support policies at https://endoflife.date/recommendations.

At one point Ubuntu changed the EOL tables on their Wiki from 5 years to 10 with no explanation about applicability/ESM - just calling it LTS.

It is among the longest pages on our website.

I don't care they're gating this behind a subscription but the fact that they won't even tell you that you're missing an important security update? That's bad. I wonder how many people think they are fully up to date while being vulnerable to known bugs.

Most Ubuntu users don't know that Canonical only supports the main repository for free.

To my knowledge, only some comments hidden in /etc/apt/sources.list mention this, but the more honest approach would be to warn all users when they try to `apt install foo` some package from universe/multiverse. Or do it like RHEL with their EPEL repo and disable it by default.

But I guess they would have never gotten this popular if people saw that Ubuntu is only a few thousand packages compared to Debian's tens of thousands.

Ubuntu is reselling Debian, once they made it well, now I don't know

The updates in universe are definitely best effort.

We were paying for Ubuntu Pro through an AWS subscription on 2k EC2 instances, and could not get Canonical to update a package with a CVSS 7.8 in the 18.04 LTS.

We've moved off Ubuntu Pro as a result. Blogged it at https://blog.thinkst.com/2024/07/unobtrusively-upgrading-ubu...

If I was looking for a distro with paid support (a la RHEL/Ubuntu) that's also not incredibly behind bleeding edge (maybe not as bleeding edge as Arch, but also not running patched-to-hell-and-back software like Ubuntu), what are my options?

Thankfully I'm not personally looking for this at the moment, I'm more than happy being my own sysadmin and running anything from Arch to Fedora CoreOS to OpenSUSE on my machines.

> ...what are my options? > ...Maybe it is time to go back to Debian, as they seem to release these fixes to their users?

Curious if this would actually be a solution. They state that fixes in Debian are down-streamed regardless of support, so if this fix wasn't down-streamed, then why would it be in Debian ?

I'd argue we wouldn't have Snap [for the better] if their LTS releases weren't visually bound to years... saving overhead they regularly create for cosmetic reasons.

Wouldn't have to create it to consolidate platforms if they stopped making them so often!

They have three concurrent LTS releases when they need one. Maybe two. 18.04 is the python2 of distributions. Let it go.

Having worked in several places that relied on it... ESM is being the bad kind of enabler.

Fedora handles "The Snap Problem" -- many target distributions -- with 'fedpkg' and 'mock'. Software and machines on the build side. Not by degrading the end user experience. They do participate with Flatpak... but that's peer pressure more than anything.

Flatpak is more well-rounded IMO. Probably from being the broader answer. Maybe this all doesn't make an argument. Just a bunch of statements. I don't know.

Back on topic: I wonder what all of this Canonical stuff in particular is for/leads to. New software isn't scary; 'just' plan/test. It becomes scary when you get lazy here... so accept your involvement.

Your free personal Ubuntu Pro subscription does in fact cover as many VMs and containers as you can run on up to five personal machines, as the OP well knows. I like that we make Ubuntu Pro, including universe updates, free for anyone running at small scale.

Ubuntu is a mess, there you go I fixed your title, joke but no joke, is real.

Is it not possible to fix the one package from the debian sources vs waiting for ubuntu to allow him to get it from them?