Further context:
Ubuntu Pro is an extended support subscription for Ubuntu. Previously, Canonical would only provide security updates for packages in the "main" repo, while packages in the "universe" repo were solely updated by community package maintainers. It looks like subscribing to Pro will grant access to a new stream of security updates by Canonical for the "universe" repo, while not subscribing will leave you in the same state you were previously. It seems like the main problem here is Canonical completely messing up how they're communicating this to users (also, I would be pissed off if I kept seeing the nag messages every time I checked for package updates).
I don't think it's just a communication issue. There's something really slimy about offering known-vulnerable versions of software for free and then charging for the security patches.
Previously things made sense, as no one was actually working on Universe so it was a best effort thing. But now, Canonical is indeed working to make those packages secure, but is withholding the patches and only publishing to people who pay? That's not very much Open Source philosophy if you ask me...
The Canonical security team and wider Ubuntu contributors will still make best efforts to update universe. Neither the team nor I are interested in degrading a prior experience for our free users. We know what the criteria were for those best-effort universe updates, and they remain unchanged.
What's changed is that there is now a much larger team that will systematically fix every high and critical vulnerability in universe, with an SLA. That's a huge improvement, it's great for enterprise users, it enables people to use Ubuntu in regulated and mission-critical environments. It also makes me very happy that we give it free for personal use on 5 machines.
If Canonical is doing all the work to make the updated packages, but is then withholding most of them from the free universe repo, how is that "best effort"?
We have a set of criteria for things we always did in universe, and we'll keep doing those things, as will other members of the Ubuntu community. Even without Pro you are better off using Ubuntu than another free distro if you care about security updates- there are more free updates, even in universe, than in equivalent open-ended repos anywhere else. Pro just makes that open-ended repo much better, and adds an SLA for people who have to report on security patch compliance.
Over the years, companies have started asking us to do more for them in universe, and now that body of work is available to all customers. We are making it freely available to you and others under a personal subscription. I think that's rather elegant, I hope more and more companies see Ubuntu Pro as a very cost-effective way to get full compliance for their estates, and I hope we can keep growing the set of things we make available for free as a result.
If you look at the range of packages covered, and the numbers of issues addressed, it's way, way more than any other enterprise Linux offering. If it were possible to provide enterprises with this level of security update coverage for free, then I'm sure someone would have figured out how to do that. I couldn't figure out how to fund full security coverage of universe without having customers for that work. In the end, I think the Ubuntu Pro free personal subscription is a very nice way to balance what are ultimately conflicting desires between people who quite understandably want more and more for free, and people who are able to buy the work that they need.
They can only make these patches because large enterprises wanted them and were willing to pay for them, and they have found a nice way to make the patches available free to you and me. If they made them free for large enterprises too, that funding would go away and we would all lose them.
Also, the extra security work on universe means there are more people who can handle the main repo even better. So even non-Pro users have benefitted.
It's not a physical necessity but it is the economic reality. I don't think the people at Canonical, specifically, should be blamed for the fact that we live in a capitalist society.
Your philosophy sounds completely weird that if someone works for an open source project, they have to provide everything free even for new stuff that required extra efforts.
Free riding isn't always available.
Have you helped the community in any way?
It might have made sense in some Canonical internal business perspective but it didn't, and doesn't, make sense for users who are exposed to unmaintained multiverse packages without big warning letters about security risks.
The package in question is libjs-jquery-ui which is in the universe repository. The universe repository is explicitly community supported only and needs to be enabled as it's not on by default.
Ubuntu Pro promises 10 years of security updates to some of the packages in the universe repo.
In Redhat speak, this is like RH supporting some EPEL packages if you have a subscription.
I don't think Red Hat has ever said anything like "A known-vulnerable version of this package is free. We did the work of making a security patch for it, but to get that, you have to pay." for any of their releases prior to EOL.
> So Ubuntu offering some support where RH offers no support is worse?
Which is worse: putting asbestos in everything because you don't know it's harmful yet, or once everyone learns that it is harmful, having a cheap product line that you put asbestos in and an expensive product line that you don't?
We've all decided to build with sustainable local materials, which anybody can dig up without harming the environment. That's wonderful! Unfortunately, the materials sometimes turn out to have asbestos in them.
Canonical and a large number of friends enjoy digging, and they make those local materials available for free, no digging required, as Ubuntu. So Ubuntu happens to be a free source of pre-dug materials which is popular for lots of reasons.
People with big buildings who like using Ubuntu need the asbestos removed if its found, and Canonical has started to do that for them commercially. Canonical have also said they are happy to remove the asbestos for free for small buildings, as long as the big-building people keep funding them to do it. The more big building people choose Canonical to sort out this issue, the better it will be for everyone using Ubuntu, even if they don't do any digging themselves.
Seems like a great deal for people with smaller buildings, as long as people with big buildings also think it's a good deal. Since I happy to like helping people with smaller buildings, I think this is all pretty square.
I dont because of documentation. I know I can google anything about ubuntu and I dont want to spend a lot of time figuring it out myself. Safe reason I moved back to x86 from ARM, had a lot of issues with ZFS on a Pi4b.
Specifically about Debian. I find more than 1 year old versions pretty outdated. I couldn't try Go generics because the version was too old... that pissed me off.
My solution is to run Debian stable as the host operating system and to build containers on the occasion that I want a more recent version of something.
The learning curve for something like podman really isn't that steep, and a relatively small investment in learning that has paid many dividends for me through the last few years.
16-17 years ago, Debian was infamous for having old versions of many popular packages (e.g. Python, gcc). Ubuntu caught on for being "just like Debian" except kept more up to date with the latest and greatest.
Most of the software that is in the Debian release from this December was released in 2020. Examples include: go 1.15, gcc 10.2, postgresql 13, systemd 247. Ubuntu 20.04.1 has go 1.18.1 and gcc 9.4. It's all a mixed bag and somewhat disappointing.
I find that description overly negative. I was running Testing on my work laptop for years (up to 2017) and I only had to build like 5 packages myself where I needed a bleeding edge version. Definitely didn't feel worse than any Ubuntu release after a few months into the cycle.
> isn't it almost entirely a desktop problem, since you're not usually running Firefox or Signal Desktop on a server?
snap is installed on ubuntu server too, and if some junior engineer comes in, how are they supposed to know not to use it?
How are they supposed to know that after googling some variation on "install docker ubuntu" and getting "snap install docker" (https://snapcraft.io/docker), they should ignore those very official looking instructions which will give them a broken and buggy docker installation?
Perhaps the problem's theoretical, but canonical certainly encourages using snaps on servers, such as in the microk8s docs (https://microk8s.io/docs/getting-started), and I expect if canonical keeps pushing it, it'll become more and more of a server problem in reality too.
My issues with Snap involved LXC. I stopped using Ubuntu for that project because it was such crap. I couldn't even control what version was running unless I went to great lengths, because snap would automatically and silently upgrade to the latest available (which brought in breaking API changes).
Once my current 20.04 snowflakes fall out of security patch support and need a major OS upgrade, I won't be using Ubuntu at all ever again. There's no advantage over Debian, quite the contrary. Sadly, now Ubuntu is the disadvantage OS.
Creeping snapification of more and more packages (.debs that actually install a snap). It was somewhat bearable when it was only desktop, but they've been creeping more and more into server-side stuff.
It's hard to put ones finger on a particular thing, but I've felt for some time now that Ubuntu is becoming increasingly user-hostile in the pursuit of money.
It was a similar kind of user-hostility that drove me away from Red Hat (when they started locking user-supplied support forums behind subscriptions).
Ubuntu is the delusional cult of convenience that doesn't scale well to extremely large operations. Their whole premise was they released a completely free distro that was identical to the commercial support version, as opposed to RHEL. If this is this case, then they've footgun fireworks factory fired themselves.
Debian is fine, but RHEL-derivates are most reliable because they run at scale and have the most stable kernel going.
CentOS (5 year lifecycle) is patched more often than Alma and Rocky (10 year lifecycle), so there's no "perfect" alternative free to RHEL. Large enterprises should be purchasing RHEL because most multibillion dollar companies run Cent or one copy of RHEL.
Also, I wouldn't use RPMs because they muddy the boundaries between OS and app: nix, microdnf, or habitat where all of "your" stuff is isolated and vendored separately. At the boundaries, it's important to sanitize environment variables, PATH, and shebangs that could cause bleed through. When in doubt, create a minimal chroot environment (even within containerization, and use SELinux) because apps shouldn't be able to run wild over a system.
Then s6 or a daemon tools-derivative non-init process supervisor that doesn't replace init is also important since Systemd is unreliable for real apps.
So if I'm reading sources.list correctly, universe repositories don't receive security updates from the Ubuntu team. Is it now the case that they do, as long as you've enrolled in Ubuntu Pro?
That makes it sound as if Canonical has taken some kind of responsibility for making these packages secure at a cost for more than five devices.
Thanks, that explains things a bit better. It sounds like it's better to not use the universe repository at all in that case. I don't suppose I can just switch over to Debian for those packages, can I?
A previous submission on this topic was flagged by users: https://news.ycombinator.com/item?id=34580360. I think this was because people felt it was misleading? Unfortunately it's nigh impossible for a casual observer (moi) to make sense of this from a URL like https://cloudisland.nz/@drV/109786183082845131. If this is a significant story, presumably there's a more substantial writeup of it somewhere?
I think this discourse comment by a Canonical employee should be read by everyone before making a judgement. It's really easy to make assumptions as an end user, myself included.
```
Canonical has never provided security updates for universe packages until this week, so nothing has changed for you if you decide to simply ignore the message
```
> Canonical has never provided security updates for universe packages until this week
Is that true, though? Until now, wasn't it just that they weren't guaranteed? Didn't Canonical make security patches available in universe on a "best-effort" basis, or at least say they did?
I'm not sure as I've never followed how OSS projects get patched w.r.t security in particular. I've always groaned at my employer for running EOL operating systems and tell them about upgrading to a supported OS to prevent getting into this type of situation.
My reasoning was that if we were running a supported version of $oss_project then we'd get security updated naturally.
That seems deliberately misleading. They may not have “provided” security updates, but they did “distribute” them when they were provided by community package maintainers.
The way I interpret that paragraph is that now with an additional revenue stream (Pro/ESM) they can develop security patches and only subscribers will get them. I think their attempt to get the conversation started (putting ambiguous sentences inside of apt) has back fired however.
Without a more granular solution in apt, this seems to require Ubuntu to halt the practice of allowing maintainers to provide their own updates for those packages. In other words, they seem to be taking away the community maintainers ability to provide updates for those packages. I am not sure how they can claim nothing is being lost here.
Perspective from someone who maintains Debian packages in the community repo here:
Package maintenance is time consuming and difficult. It requires a lot of volunteer work. Individual maintainers are overworked and unpaid. Packaging software often requires managing complex dependencies, writing documentation, developing packaging toolchains, and patching software.
Furthermore, stable release of a particular software version is even more of a challenge for package maintainers. Often upstream FOSS maintains only patch HEAD and release a new version. The responsibility of backporting changes to previous versions is left to package maintainers. To provide secure versions of old software, you're asking maintainers to have intimate familiarity with the OSS code bases and follow the dev process etc.
If I had community supported software exposed to the internet, I would be very concerned with the current state of things. I would want to ensure that individuals are invested with maintaining this software in a full-time capacity. It is important that "main" receives free Updates. Ubuntu Pro seems like it enhances the OSS ecosystem. As an personal user, you can get a free subscription courtesy of Canonical.
It is important to remember that as the end user, you are choosing to enable the community repo. Without Canonical, you wouldn't even know this version of the software is vulnerable.
Ubuntu Pro is a paid* subscription that Canonical offers. It affects you if you've installed any packages in universe, e.g., ImageMagick, in that you'll be running known-vulnerable versions of them unless you sign up for Pro.
* Individual users can use it for free on up to 5 machines.
if it's gpl software, can they actually enforce that?
if they're distributing under gpl, that means they 1) have to make the source available, 2) the user maintains the ability to redistribute.
So provided that the user makes their own apt repo, they should be able to distribute it to as many machines as they see fit. That's essentially how centos operated. I'm sure there's some exceptions, around assets that ubuntu may own or any trademarks.
But I shouldn't be learning this from an HN link to a twitter post of a screenshot that references ubuntu.com/pro. So I have the sense they haven't done much if any advertising for it? Maybe I've just been oblivious?
It is somewhat concerning that they're kinda holding security packages hostage...but I don't think it's unreasonable for ubuntu to want corporations to chip in. Gotta keep the operation running somehow, and bills don't just pay themselves. I don't know what else they can offer to make anyone actually shell out some cash.
> if it's gpl software, can they actually enforce that?
In practice, I think they probably will be able to, since grsecurity can for their patches (at least they've been able to so far) even though the Linux kernel is GPL. I agree that they shouldn't be able to.
In the "Security Patching" comparison between Ubuntu LTS and Ubuntu Pro for the 23,000 Ubuntu Universe packages, they say "Best effort" for Ubuntu LTS v/s "10 years for Ubuntu Pro". This would lead a reasonable person to think "Okay, maybe it's 2-3 years at least for LTS?"
But in the graphic below for Universe, there is no orange section (unlike the 5 year line for Ubuntu Main). Which I think that Ubuntu LTS will now never guarantee any security patches for Universe, even if the distro came out yesterday.
Am I reading this wrong? I hope I am, but it seems to match people's experience.
You're correct. Packages in universe were never marked as supported, and never got any updates. The LTS definition has always been "main"+"restricted".
Ubuntu Pro pricing (https://ubuntu.com/pro/subscribe) seems pretty weird for a power user with a few desktops and a bunch of servers at home. Apparently it would cost thousands of dollars per year to subscribe them all, and require strictly counting the number of devices used. If it was something simple like $99 for unlimited usage, I would probably subscribe right away.
You get a free personal subscription which can be used on up to 5 machines that you personally own.
Canonical are letting home users, community, power users and small businesses benefit free of charge from the extra security work that much larger enterprise customers had asked for, and funded. If Canonical made it free for the large enterprises, they would stop funding it and we would all lose the best and broadest security coverage in the market. Also, the Canonical security team has grown a lot to do this work, so the security coverage of Ubuntu ‘main’ which has always been there is now even better.
So this is pure win for you, me, and everybody else on Ubuntu too.
If you don’t change anything, you get more free security fixes in Ubuntu than any other Linux you could pay for, for 5 years, and that keeps improving as more big companies use Ubuntu Pro. With a free subscription you get personal / small biz coverage that’s miles better than any other enterprise offering. And if you are a large business, Ubuntu Pro is an incredibly cost-effective way to get full coverage and things like FIPS and FedRAMP coverage while letting your developers use any of the tens of thousands of Ubuntu packages. It’s 3-4% of the cost of the cloud VM, a total no-brainier for any CISO.
There is a reason the fast-moving companies are building new stuff on Ubuntu.
Presumably for violating the contract you agree to when you sign up for Pro. As for the GPL being supposed to block this, it doesn't seem to have stopped grsecurity from pulling the same nonsense.
This could work for MIT, BSD and alike. But in case of GPL and other strong copyleft-licensed software - how this is supposed to work? They just can't throw some ToS over it and say "nah, you can't share it", that'd be a violation of GPL (and the only question is if there'd be a developer who would bother to sue for illegally distributing their work).
They shouldn't be able to do that, but that's exactly what grsecurity has been doing to the GPL'd Linux kernel for years, and they've gotten away with it, at least so far.
What is grsecurity doing that violates GPL? I’ve never used it (or even heard of it before now) but just took a quick look at their website, download page, and FAQ. I didn’t see anything that appears to violate GPL.
I think those ads are entirely reasonable. I had nothing against Pro until it led to them withholding security patches from people running the latest versions of their distros.
Users flagged that post. I guess you can call users "censors" if you want (people mostly use that word to express dislike nowadays), but they're not doing it with any special authority.
User or mod, whats the difference? User that has direct or indirect tool at his hands to delete other ones posts - this is very much censor. Argue againt something, if you like. But trying hard to shut someones mouth, that is bit much, to say the least...
The word 'censor' was traditionally used to describe an intervention by governing authorities. People have much stronger reactions to that than they do to actions by peers who have the same privileges as they themselves do.
You're right insofar that a ranking isn't any different based on who did the downranking. But there are other variables than just rank. If you don't believe me, wait until the next time we mess up and misapply moderation power, and see how ferocious the response is.
It seems some people just cant live without censorship being applied everywhere around them. If government isnt doing it or by proxy - social media sites, then some users themselves find they need to replace that hole in their life. How can ones day be complete, if nobody hasnt been canceled or shut down or deleted. So amaze. Wow. I am proud of you, Big Boss.
Say you're in a baseball game. Do you get to tackle the pitcher? No you don't because that's not how baseball is played. If you want to tackle, you should go to a football game instead. Right?
What's the difference? Anything controversial seems to get flagged and die off quickly, whether mods or the hive execute it doesn't make a net difference.
The heated discussions are often of dubious quality. But it also sucks some of the fun out of HN when the pile-ons die so quickly. Sometimes companies deserve to fry and HN is probably a healthy outlet. In this case Canonical has earned it by not putting users first.
There isn't much difference along some axes (e.g. downranking is downranking) but there's a huge difference along other axes (e.g. organic community response is very different from authority intervention).
Author of said flagged post here. I agree with you. I wish HN worked such that if a post has more upvotes from high-rep users than flags, that the flags would have no effect whatsoever.
I would personally like that, too. But Dang's bonzai tree that is HN is curated a very particular way which increasingly mostly murders any dramatic posts. I blame Elon, because the Twitter shit really fucked with this site in a way I'd not previously observed. Just another (probably incorrect) theory.
I'm sympathetic in that poor Dang is already grinding it day in and out to keep things afloat, the dumpster fire threads can get out of control pretty quickly and can get ugly and abusive. It's a fine a line.
I wish we could get away with that but one of the dismayingly consistent findings of running an internet forum (or this one, anyhow) is that you can't rely on high rep for almost anything.
I wonder if there's any good way to avoid the vetocracy-like effect then, where a small number of users who don't like a post can effectively bury it even if a much larger number of users do like it.
