I might be wrong but I think that's because the fix is directly patched by the ubuntu security team, NOT by the upstream package maintainer. That means they are providing their own patch, just faster. If the package is updated upstream, you will be able to get the update.
Also, ubuntu pro is free for up to 5 users so for most users this is just a free additional feature. There's almost no downside here, at worst you get the updates as quickly as you would in any other distro. They also update packages that do not get upstream support at all anymore, such as python 2.7. Which obviously requires a lot of work directly from Canonical, so I don't really get the reaction in the comments here.
This reddit comment explains it way better than I do:
>It is a bit more nuanced. These are not fixes by the package maintainer or the community. Those you get regardless of Pro status.
>Pro is for patches by the Ubuntu security team. And I understand why they require an opt-in, as not everyone would want their packages patched by Ubuntu (instead of waiting for an official patch from the maintainer).
>So basically Ubuntu are giving you a new feature (that you won’t get at other distros, these are patches by Ubuntu themselves) for free if you would like to opt in for it.
>They could have communicated it better, but the rage is misplaced in my opinion.
> There's almost no downside here, at worst you get the updates as quickly as you would in any other distro.
There could easily be downside. It's free for 5 machines for now. However, the big risk IMO is if relying on Ubuntu for security patches becomes a normal thing.
In fact, it could even go as far as having Ubuntu make deals with software developers to maintain security patches for software past a certain lifecycle (ex: 2-3 years). By doing that, Ubuntu could discourage projects from running their own LTS programs and all of a sudden Ubuntu would become the only viable LTS distro.
Open source means nothing. Whoever controls the development effort is the one who decides how open software really is. If Ubuntu manages security patches for all the LTS packages, the only choice of LTS distro is Ubuntu and there's no way on earth they'll keep any kind of significant free offer available if that happens.
That's a good question! I have no clue, but I know that they also patch unsupported packages that probably aren't getting updated anymore. I'm not sure how they assess which packages are vulnerable but I guess some of them already have a fix upstream that didn't go through the (debian or ubuntu) repo maintainers yet.
I haven't looked really closely so maybe I can, but when I've looked in the past, I couldn't start an ubuntu machine on AWS that's a "pro" version, at say 1c/hour ($87/year) or whatever, on top of the x cents an hour I pay amazon for the machine.
Instead I have to raise a separate business case about why I want to pay for support, manage a separate line item in my budget, etc, etc, that's all tedious, so I don't bother.
You are right, my comment wasn't completely accurate since I forgot to mention that the free ubuntu pro plan is only for personal use or for less than 5 devices. I don't think you can get it working on a cloud instance even if you are eligible for the free plan unless you manually install it on a VM or something.
Aw man… I'm really not looking forward to getting out of my comfort zone of just running the current Ubuntu LTS on all my machines. Not that I fear other distributions, but I'm just at a loss at figuring out how to get the combination of broadly supported (also by Steam and Proton on my desktop rig), just working out of the box, and minimal fuss.
The writing has been on the wall a while though, with snap making some tools borderline unusable until you install a non-snap version.
"Minimal fuss" has been an Ubuntu strength since the very start. First it was the debian-sanity approach to a desktop that worked just fine.
But LTS really helped keep fuss even lower. I remember buying my first Ubuntu laptop from Dell in disbelief. No fuss, worked for years, no issues.
Right now I gather Ubuntu has a lot of commerical runway and partnership to leverage. Community runway is going to be shorter but there are still (as I understand it) workarounds for just about every significant issue people have with the distro.
What's concerning is that workarounds are essentially the same thing as fuss, for a lot of users out there.
With both Mint and Pop!OS I worry about the consequences of essentially being downstream versions of Ubuntu. I'll see if the Mint maintainers have a view on this; it does seem like a candidate.
Pop!OS seems nice, but I never really got the impression that System76 is doing much more than just reskinning Ubuntu. It just doesn't feel like something that will last.
Going back upstream is an option of course, i.e., Debian. It seems to have modernized quite a bit since the olden days.
The Mint maintainers have Linux Mint Debian Edition (LMDE), which is based on Debian and pretty similar in functionality to the Ubuntu version though you do miss some nice features (for example I don't believe the driver manager is present in this version). They seem to be hedging their bets for if they ever need to jump ship away from Ubuntu.
> Pop!OS seems nice, but I never really got the impression that System76 is doing much more than just reskinning Ubuntu. It just doesn't feel like something that will last.
I think this undersells Pop!_OS a fair bit. They have a FAQ that actually has a heading "Isn’t it just a re-skinned Ubuntu?"[0]:
> To call it a re-skinned Ubuntu brushes over all of the features and quality-of-life improvements that Pop! developers work diligently to create. For an in-depth look at the effort and manpower that goes into updating and maintaining Pop!_OS, take a look at our Roadmap documentation and the This Week in Pop! series on Pop!_Planet. Below, you will find a general list of improvements that make Pop!_OS stand out.
I think roadmap doc they mention[1] tells the story pretty well.
> I worry about the consequences of essentially being downstream versions of Ubuntu
FOr now it doesn't worry me much. Ubuntu is fine if you just remove the bad parts. If it becomes a problem, I see both Mint and Pop easily switching to Debian.
I feel like its much more just reskinning Gnome though, or at least all that is the part I like about it. I haven't tried it myself, but there is no reason I think you couldn't run their DE, tiling, and Launcher ontop of Arch or Nixos.
I'm a daily user of Pop_OS! by System76. (https://pop.system76.com/) It's developed as a desktop system for their range of computers, but you can install it on anything, as I did. It Just Works™ and I didn't have any compatibility issues with it -- as an anecdote, once I was able to connect to a Samsung printer out of the box, while my friends using Windows had to search online for drivers.
I bought a laptop from System76 with Pop_OS! installed.
After turning on wifi and running the updates, I then installed emacs, firefox, and KDE from the Pop_OS! repo, then ran the updates again.
Instead of continuing the process of "moving in", I found apt was now in an error state with what appears to be some broken circular dependencies. My immediate conclusion was that Pop_OS! is either flaky or I was unlucky enough to use their system for the first time just as they had a packaging bug that affected me.
I don't think putting out a solid distro is a trivial thing. System76 probably put in a lot of effort into their (IMHO weird) desktop environment. They also have been promoting donation subscriptions for Pop_OS! development support. Based on my experience, I wonder if they bit off more than they could chew, squandering effort on flashy things rather than doing the basics well.
I agree I'm going to migrate away from them, I can't support this.
Naive question: I've got ubuntu running on servers (mostly just shared files and computer) and some cloud gpu machines. Are these affected as well? As in the ubuntu images that come from aws et al are presumably not "pro" so they won't be properly watchable?
As an aside, what a rip-off. I'm generally hesitant to use free tools from for-profit companies for fear of how they'll later try and monetize, and this is a pretty good case of a company deciding to lure people in then do something really scummy
"I'm generally hesitant to use free tools from for-profit companies for fear of how they'll later try and monetize, and this is a pretty good case of a company deciding to lure people in then do something really scummy"
Counterpoint: Canonical has to pay people to produce Ubuntu. Eventually they need to figure out how to get enough people to pay to cover expenses, salaries, etc. The last revenue figures I saw from Ubuntu were in the green, but that was 2020 and it's not like they were generating a huge profit. The prior year showed a loss. And apparently they are or were planning to go public in 2023. [1] (Whether they'll go through with that given <gestures at everything> the state of the world is another question.)
If the existing system isn't converting enough users from free -> paid, then the alternative may be "didn't work, stop producing these tools, period."
I've had my fair share of complaints about Canonical over the years (Snap, Unity, the so-called Harmony effort to normalize non-friendly CLAs), but if you like being able to expect releases with a certain level of polish and updates... they've got to bring in money.
If you and users like you are unwilling to pay when they don't employ monetization tactics, then... either they end or they start exploring ways to bring in money.
So - just doling out Ubuntu hasn't quite done the trick. If not for "scummy" tactics, what is going to get you to pay for the things you use? If the answer is "nothing" then there's little value in Canonical catering to your preferences.
You seem to have made a lot of assumptions about me. Anyway, what you're saying backs up my point imo. There is always some risk depending another party. If I'm using say python, I feel relatively secure they won't start shaking me down for money. For the reasons you mention, the same isn't true for ubuntu.
> I agree I'm going to migrate away from them, I can't support this.
It almost certainly doesn't affect anything you run on your servers.
Even if you did have Universe packages on your servers, what it means is that you now have the option to get Ubuntu Pro and have security updates for those packages.
Up until this point, you did not get security updates for those packages.
There are now arch-based distros that are quick and easy to set up, like Ubuntu. I'm currently running endeavourOS, and I am eager to try Manjaro.
Don't be put off by the Arch-based nature of the OS - since both Endeavour and Manjaro have installers, they bootstrap your system's drivers, and all.
I've found maintenance to not be too overwhelming, and Arch's wiki is top-notch. When I used other distros like Gentoo, I sometimes found myself reacing the Arch wiki...
Package management isn't too different from using apt, synaptic, or the app store if you use the right tools:
Command-line:
- Pacman: for precompiled official packages
- Yay : Automagically compiles community-ported third-party applications
GUI:
- Pamac: Look it up - it's a lot like Ubuntu's "App Store"
The caveat here is that I'm an experienced Ubuntu/Debian user that moved to Gentoo for a while.
While using Gentoo, I got tired of the systemd migration nightmare and returned to Ubuntu to find the nightmare of Snapd and poorly-sandboxed applications in their community repo.
I've only used Arch for about a month, but after using Gentoo and Ubuntu, I think I'm staying here for a while. The kernels are brand-new and the GPU driver performance is at least 2x what I was getting in Ubuntu. With the derivatives, there's no reason to bootstrap an Arch system from the kernel framebuffer, like the olden days of Gentoo and Slack.
Arch itself has install script (archinstall) these days which streamlines the install process a ton. Not sure how stable it is though (I hear it is still considered experimental) but it certainly made my recent install on my thinkpad a breeze.
This comes across as bad but it is actually not that bad.
Those packages are from the universe repo, which includes ~23,000 packages that historically have been best effort maintained (unlike the main repository with ~2,300 packages that have guaranteed maintenance).
Ubuntu continues providing guaranteed maintenance for the main repo for free as it always have.
Now they are adding additional maintenance guarantees for 23,000 packages (which is a positive addition IMO), and making that available via Ububntu Pro
You can opt to not use Ubuntu Pro and you would continue getting the same guarantees as you were getting from Universe as before (which largely tracks Debian)
More details here in the "What's new with the Ubuntu Pro plan" section of https://ubuntu.com/pro
> This comes across as bad but it is actually not that bad.
It's actually pretty bad. If you're running Ubuntu anywhere there's a bit of bureaucracy, like a government or large business, you get backed into a corner.
You can never use any of the packages from 'universe' unless you're buying Ubuntu Pro because if you ever get hit with an exploit where there was a patch available, regardless of the circumstances, you'll get crucified.
The insurance company, admin staff, ambitious peers, security analysts, etc. will bury you for not patching a known vulnerability. This is the end of Ubuntu's 'universe' repo for businesses that can't afford $500/year/server. It's just that no one has realized it yet.
Well, yeah. This has always been the case, but now you can pay to not have this be the case. They're not taking anything away. If you had these concerns about the universe repo before Ubuntu Pro, you should not have been using it in the first place.
Aggressively pushed snaps. Apt and MOTD ads. And now this.
Look, I get it, no-one is entitled to free labour. But OSS runs on goodwill. Canonical profited obscenely from the rich open source community and diverse set of packages. And that’s OK - it’s the nature of open source. They get to differentiate with their orchestration tools and premium support. But the expectation is that when it comes to security patches, we all chip in, in the name of collective safety. If you’ve benefited from packages being part of your ecosystem and you patch a vulnerability, you contribute it back
I have to challenge that. Their last revenue numbers that I can find (2020) indicate a moderate profit on a headcount of about 500 people.
They've grown pretty well, but that's not the same as profited. Canonical targeted the gaps that Red Hat left when it moved from Red Hat Linux -> Fedora / RHEL, and ate up a lot of the Linux market and grew the pie a bit in terms of people using Linux.
But Canonical has never been making money hand over fist. Their finances aren't public but AFAIK they've largely been in the red or breaking even. Their 2020 financial statement indicated profit for 2020 but loss in 2019.
An interview with TechCrunch last year[1] suggested their revenue was "$175m last year" -- that's a small fraction of Red Hat's revenue and less than SUSE if I'm not mistaken.
Note I'm only responding to their push for Ubuntu Pro - if they're also not pushing patches back upstream or playing games like that, that's a different story. But that's not about making them available vs. making them convenient.
Having profited from OSS does not mean that the company has profit left over after spending their money on whatever they want. Canonical certainly has had no shortage of frivolous projects that anyone outside could see were doomed long before they were axed, often from inception. Examples that immediately come to mind are Bazaar, Upstart and Mir (the display protocol and required changes in pretty much all applications toolkits, not their now-a-Wayland-compositor).
“The mission for Ubuntu is both social and economic. First, we deliver the world’s free software, freely, to everybody on the same terms. Whether you are a student in India or a global bank, you can download and use Ubuntu free of charge.” - https://ubuntu.com/about
Redhat Enterprise self-support: $349/annum “Can only be deployed on physical systems. Cannot be stacked with other subscriptions. Is not intended for production environments.”. Doesn’t come with 5 free installs! https://www.redhat.com/en/store/red-hat-enterprise-linux-ser...
* There's an app in the Universe repository, which consists of software that is not formally supported by Canonical at all, which has security updates that are actually available from Canonical if you're an Ubuntu Pro subscriber.
This is Canonical getting their hands dirty and applying their own patches faster than the package maintainers. If the package maintainer release a patch then that is applied like normal, no Ubuntu Pro required.
Once again: If they weren't offering this, it wouldn't be patched at all.
If they didn't have this, the security would be lower for everyone.
They have not taken anything away from anyone here, they have only provided extra services to people who pay.
They communicate this poorly, obviously. And it needs to be made clear that they are not withholding community patches, only contributing for a price priority patches to previously community-only packages.
As opposed to majority here, I think this is pretty good thing worth paying for.
>Ubuntu pro reduces your average CVE exposure time from 98 days to 1 day. In a
The 98 days is still better than on Windows.
> In addition, it includes expanded CVE patching, ten years of security maintenance, optional support and operations for the full stack of open-source applications.
This is should be really important for anyone who really cares about their privacy and security. Looks like Ubuntu is providing extra support, kind of like on-call for your desktop and server security. Interested what their SLI and SLA are and how confident UbuntuPro is they can maintain it for long.
This is definitely better than relying on community based distros that can't release patched Chrome because 2 developers went on holidays.
Can somebody tell me how it was before? Ubuntu Universe packages were also maintained on best-effort on non-paid 5 year official support before? I mean was something taken away or not on the free version?
You are correct, nothing was taken away. It is a different structure than any other distro where:
A. Packages just get updates.
B. The official repos are entirely supported but smaller.
Ubuntu does the weird split of "It is official but we don't support it". And now that they monetized it you are in a situation where its easy to install something, because they offer it, and then later they hold an update hostage.
Ubuntu used to be a nice default distribution, but with the hideous snaps and now apt spamming ads for a $500/box/year subscription for security updates, it's getting pretty ugly.
Wow. I completely missed that was per year. I thought it was a one time purchase and thought that seemed a bit high. MS sells Server Essentials for up to 10 cores for $500 and that includes use on 1 VM as well AFAIK (don't take that as licensing advice).
I think this new policy creates an escalated security threat. Ubuntu is now effectively advertising which packages have security issues. They have painted a clear target on their users, when previously some work would be required to dig up the same list of vulnerabilities. In other words, this new form of advertising seems to actively help those who would do us harm. This effectively makes Pro a protection racket.
> Alongside Ubuntu itself, each of these applications is fully security patched for high and critical CVEs for 10 years. This enables organisations to take advantage of a secure and stable open-source ecosystem with none of the usual maintenance burden! No need to worry about scanning, applying, and testing the latest upstream security updates.
I've been using Ubuntu (and variants that use the Ubuntu repositories) for years. I'm glad to see this push by Canonical for improved quality/security across the "universe", and I also see it as a reminder that I've been benefiting from their work without compensating them for years. I'm going to sign up for a paid pro account even though the free tier would be enough for me.
No delays (lower risk), compliance with various certifications, lower cost. Most people wouldn't buy the service though, which is why for most people it is completely free.
Note that the license for a server costs 500$/year, whatever the number of CPUs (!)
while the same license for an instance in Amazon/aws will be cheaper (and the price vary with instance's size).
Anyhow: as somebody already wrote, this will have AWS users move to AWS linux
RHEL and derivatives have long been the standard in the Ops world for their stability. Rocky Linux and Alma linux are the main two community editions, they are both supported by pretty good communities, so it's hard to pick one.
Seems Ubuntu was largely popular with devs and the masses due to it's ease of use back in the day. Never understood why more didn't just go with Fedora back then.
My last dip into alternative distros (~2 years ago) for my dev desktop was quickly over by various problems/missing settings for display, audio and network. Not saying it wouldn't have worked (one was even ubuntu based), but I had to go and configure desktop stuff on the CLI, including having to figure out how. I rather not.
I'm absolutely fine running something else on a server though and my docker images are usually alpine based. But for desktop Ubuntu is the closest to "looks decent and just works"
I used to be a RHEL admin and was just more comfortable over there, but after the whole CentOS mess I ended up running Ubuntu LTS at home instead - I just wanted a "set it and forget it" machine so I didn't go with Fedora.
I'm currently regretting that decision, as I'm really not looking forward to devoting another weekend to rebuilding again.
I don't know about Rocky, but I updated all my CentOS systems (about a dozen desktops and a file server) to Stream and they work fine. The changeover has been pretty much a non-event.
I just rebuilt one my ceph nodes with Rocky 9. Seems they are pretty closely tracking RHEL. I think Alma is a little quicker with patches, but both are fast.
> Never understood why more didn't just go with Fedora back then.
For me at least: back then Fedora didn't have a supported non-terminal way to upgrade to a newer major version. (Whereas now upgrading Fedora is more polished and simpler than Ubuntu.)
Fedora, while very nice, goes too fast. Basically as fast, as the non-LTS ubuntu releases. Ubuntu has the LTS option, for Fedora, that LTS option was CentOS and today Rocky/Alma.
With the rest, I agree. I run fedora on my desktop, but I would not use it for my parents, for example. Even with LTS, they were complaining that it changes all the time.
If it works for you, why not. Just be aware, that the point releases did have breaking ABI changes, and now they can happen randomly, without waiting for point release.
Since I used the old, non-stream centos, the changes left some bitter taste. Enough to prefer alma.
Wouldn't Debian be a safer choice? Ubuntu is just layers on top of Debian (one of the layers being the "pro" thing, it seems...). So Debian should the the obvious solution. RHEL would be the most likely to move in the same direction as Ubuntu, wouldn't it?
The real problem is that Ubuntu is emitting knowingly vulnerable software for free, and then flaunting "if you were part of our pay-group, you'd get the security patches".
The ethical thing is to upstream the fixes, or quit transmitting knowingly faulty and vulnerable software.
Charging money isn't explicitly against the GPL, BSD, or similar FLOSS licenses. However, are they doing what's required of them with the licenses they're making changes to?
Better yet, are they submitting these fixes to the package maintainers to fix? What would happen if *I* get this Ubuntu Pro Plus Super crap, and download source, diff it, and submit the diff?
Better yet, now that Ubuntu has a fiduciary reason to slow down updates/fixes to Universe, are they going to impede package security fixes and updates, as it now hinders their revenue stream?
> As explained, this isn’t what they’re doing at all. They’re putting their own patches in, not withholding upstream patches.
As explained, Ubuntu is providing knowingly security-vulnerable software, and then as an upcharge offering their own custom fix. There's plenty of ways to handle this, some better and some worse. They chose worse.
> If all they did was patch upstream, you’d have to wait longer for the fix. I don’t see how that solution is unambiguously better.
Again, they flagged vulnerable software. They could have emitted a message via APT to warn of a security incident with said software. Or they could remove it from the repo until fixed, or hide it behind a flag with apt.
They instead chose to keep disseminating it, and then gatekeep their fixes.
> What would happen if I get this Ubuntu Pro Plus Super crap, and download source, diff it, and submit the diff?
If it’s GPL or BSD then you’re certainly welcome to submit the patches if Ubuntu haven’t. I don’t know why you’re casting aspersions without actually checking what they’re doing.
So, if Gnome DE has a zero-day exploit Ubuntu should immediately pull the Gnome Desktop until the upstream patches it? Otherwise, it's not about ethics just time.
This isn't a binary answer, no matter how much you try to cast it as one.
Software exploits are found regularly. But this is different, with the fact that Ubuntu is peddling knowingly vulnerable software, and then with the implicit threat of "Sure'd be ashame if you were hacked by our software we know is vulnerable... cause you didn't pay us for the fix".
I don't know the "best" course of action that applies everywhere. In some applications, you take the chance until the fix is out. Others, you take it down. And in others, you throw on extra detections and remediations to impede the attack. But you know this - you just wanted to get your one-liner quip in.
Ubuntu put crap in the MOTD. They could have just as easily made a RSS feed, and attach it to the security patches, and alert users of impending "bad stuff down the pipeline". But instead, they just SNAPify and shove more garbageware and terrible decisions down the pipeline. Basically, Ubuntu is the next case of Cory Doctorow's "enshittification" of software and goods.
That's the problem: for those of us who run Ubuntu and related (Xubuntu here), we found out about this by our regular updating, and having apt give that rude message.
It's basically a "fuck you pay me" message, with the subtext of "it'd be a shame if someone was to hack that vulnerable program I just gave you"
- support for Ubuntu universe, which even RHEL doesn't match(they don't offer any kind of support for RPMFUSION)، they even offer support for complete projects like WordPress and redis and on.
- 10 years of support
- faster patches
- 5 free production instances
My only gripe is that Livepatching seems to restart userspace every time it checks for updates, which breaks rootless docker.
Since the free version offers no support, you practically have no place to ask questions about Livepatch, as the Ubuntu forum and askubuntu don't allow it or anything related to Ubuntu Pro.
That's without mentioning snaps and the crazy advertising, but it's still pretty good.
Also, ubuntu pro is free for up to 5 users so for most users this is just a free additional feature. There's almost no downside here, at worst you get the updates as quickly as you would in any other distro. They also update packages that do not get upstream support at all anymore, such as python 2.7. Which obviously requires a lot of work directly from Canonical, so I don't really get the reaction in the comments here.
This reddit comment explains it way better than I do:
>It is a bit more nuanced. These are not fixes by the package maintainer or the community. Those you get regardless of Pro status.
>Pro is for patches by the Ubuntu security team. And I understand why they require an opt-in, as not everyone would want their packages patched by Ubuntu (instead of waiting for an official patch from the maintainer).
>So basically Ubuntu are giving you a new feature (that you won’t get at other distros, these are patches by Ubuntu themselves) for free if you would like to opt in for it.
>They could have communicated it better, but the rage is misplaced in my opinion.
https://www.reddit.com/r/Ubuntu/comments/10pqklh/canonical_t...