Ubuntu Pro covers Universe packages, which weren't previously covered by official security updates. All the packages in main still get the same security updates as before without requiring Ubuntu Pro.
Was just going to say, they're merely making more obvious a situation that has long existed. But most people don't bother checking if packages they depend on are part of `main` or `universe` so I can see how this comes as a shock to some.
Ubuntu makes this worse by using "end-of-life" dates as End-of-ESM at various pages[0,1]. If you read that page, you'll assume all packages will be supported till EOL for all users. This is all it says about ESM:
> Extended Security Maintenance (ESM) provides security updates on Ubuntu LTS releases for additional 5 years. It is available with the Ubuntu Advantage subscription or a Free subscription.
The Pro page[2], now has a clear graphic comparing the security coverage, but this appears to be new.
Indeed. I see Ubuntu 20.04 imagemagick was updated with a security update in 2021 for free. Now, there is another update for imagemagick, but we have to pay for it.
The https://ubuntu.com/pro page says "best effort" for universe packages. Yet, they have an update for imagemagick, we just have to pay for the pro subscription to get it. How exactly is that "best effort"?
That doesn't really clarify things. It just says universe is supported by the community. Right now, we have an update for imagemagick, but we have to pay for it, whereas last year we had updates to imagemagick for free. How is that "best effort"? What they mean is, they are now putting more effort into universe, but you have to pay for the updates.
I don't mind having to pay for these updates if necessary. They should just be honest and transparent about what they are doing.
Looking into this further, I see that Ubuntu 20.04 has an identical version of imagemagick to that on Debian 10. This is a security update to imagemagick from 2020:
There are no later versions of imagemagick on ubuntu 10. So, my guess is that Ubuntu has (and will continue to) take any security updates that appear in the upstream Debian release, and add an Ubuntu Universe package for them. Now, I'm guessing, there will be additional security updates in the Universe package set for users paying for Ubuntu pro, where those packages are not available on Debian (i.e. Ubuntu themselves will package them).
If that's the case then there is nothing nefarious going on, just Canonical didn't explain it very well.
But are they now continuing to ship the known-vulnerable version in universe for new installs moving forward, but then notifying the user that an up-sell opportunity exists if they want the fixed version?
There are lots of security updates in the source code for the packages. Major vulnerabilities will (presumably) have Debian package updates, and those should continue to be ported to Ubuntu. What will happen now is that Ubuntu themselves will sometimes port security updates to Ubuntu even when there is no community (debian) update upstream. At least, that is based on my own analysis (see my other comments).
So, I think this is just a new offering from Canonical, allowing us to pay for more minor security updates to the Universe packages. But they explained it very badly!
So, when did universe packages get updates without ubuntu pro? Did they only update the debs for feature updates, and withhold inbetween updates if they only had security changes? That seems insane. Or did regular ubuntu (without subscription) just never update the universe packages at all?
I had the impression that, if anything, the non-main-repo things got more frequent (minor) updates.
In the past, Universe packages only got security updates if a member of the Ubuntu community submitted a fix for sponsoring. The community can still do this, but additionally, Ubuntu Pro exists which also updates universe packages.
Usually security updates for repos on gentoo I remember (not sure about ubuntu) was up to the repo maintainer, who often recieved no support. That's the price a user pays for using a non-mainline repo. I assume it's the same.
I assume repo maintainers ship security updates if it's a shipped tarball from upstream. However, some security updates are just patches, which require manual work from the maintainer. That is the issue I think, it's not as simple as delivering what upstream already gave you.
I'd say that when maintaining a deb package for a stable distro like Ubuntu, it's much easier to apply a patch than import a whole new upstream release.
I don't understand how anyone manages to use a touchpad after getting used to how great trackpoints are. I have to use an external mouse on laptops that only have touchpads.
> where Ubuntu just unilaterally reverted Mozilla’s removal of a cert in their package, because it was breaking nuget… Note that this was early 2021 — Mozilla removed Symantec from their trust store in October 2018!
Debian and Ubuntu had jumped the gun by a few weeks and there were certificates still being used that had not been renewed yet, so we had to revert temporarily.
Mozilla had used the CKA_NSS_SERVER_DISTRUST_AFTER tag with a date to specify newer certs issued by that CA were not valid, but as the article above states, the crypto libraries being used in Linux don't support that kind of thing.
The assumption is that the correct passcode will remove the usb shutoff. If you fail to enter the passcode in the required amount of times, you get a wipe. Many of the law enforcement ways to access these devices rely on the USB port being active to root the phone or reset it in a way that allows faster/more passcode attempts (or by simply letting it sit on a shelf for months or years until a known exploit allows access via usb.
