[sjansen]

Was just going to say, they're merely making more obvious a situation that has long existed. But most people don't bother checking if packages they depend on are part of `main` or `universe` so I can see how this comes as a shock to some.

[captn3m0]

Ubuntu makes this worse by using "end-of-life" dates as End-of-ESM at various pages[0,1]. If you read that page, you'll assume all packages will be supported till EOL for all users. This is all it says about ESM:

> Extended Security Maintenance (ESM) provides security updates on Ubuntu LTS releases for additional 5 years. It is available with the Ubuntu Advantage subscription or a Free subscription.

The Pro page[2], now has a clear graphic comparing the security coverage, but this appears to be new.

[0]: https://wiki.ubuntu.com/Releases

[1]: https://ubuntu.com/about/release-cycle

[2]: https://ubuntu.com/pro

[cpncrunch]

Indeed. I see Ubuntu 20.04 imagemagick was updated with a security update in 2021 for free. Now, there is another update for imagemagick, but we have to pay for it.

The release cycle page (https://ubuntu.com/about/release-cycle) has no mention of any differences in updates for universe vs base packages.

The https://ubuntu.com/pro page says "best effort" for universe packages. Yet, they have an update for imagemagick, we just have to pay for the pro subscription to get it. How exactly is that "best effort"?

[mdeslaur]

https://wiki.ubuntu.com/SecurityTeam/FAQ#Official%20Support

[cpncrunch]

That doesn't really clarify things. It just says universe is supported by the community. Right now, we have an update for imagemagick, but we have to pay for it, whereas last year we had updates to imagemagick for free. How is that "best effort"? What they mean is, they are now putting more effort into universe, but you have to pay for the updates.

I don't mind having to pay for these updates if necessary. They should just be honest and transparent about what they are doing.

[cpncrunch]

Looking into this further, I see that Ubuntu 20.04 has an identical version of imagemagick to that on Debian 10. This is a security update to imagemagick from 2020:

https://launchpad.net/debian/+source/imagemagick/8:6.9.10.23...

There are no later versions of imagemagick on ubuntu 10. So, my guess is that Ubuntu has (and will continue to) take any security updates that appear in the upstream Debian release, and add an Ubuntu Universe package for them. Now, I'm guessing, there will be additional security updates in the Universe package set for users paying for Ubuntu pro, where those packages are not available on Debian (i.e. Ubuntu themselves will package them).

If that's the case then there is nothing nefarious going on, just Canonical didn't explain it very well.

[captn3m0]

DELETED, there's a bug which doesn't consider architecture into account: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-t...

[ta29783864293]

But are they now continuing to ship the known-vulnerable version in universe for new installs moving forward, but then notifying the user that an up-sell opportunity exists if they want the fixed version?

[josephcsible]

That's my impression.

[cpncrunch]

There are lots of security updates in the source code for the packages. Major vulnerabilities will (presumably) have Debian package updates, and those should continue to be ported to Ubuntu. What will happen now is that Ubuntu themselves will sometimes port security updates to Ubuntu even when there is no community (debian) update upstream. At least, that is based on my own analysis (see my other comments).

So, I think this is just a new offering from Canonical, allowing us to pay for more minor security updates to the Universe packages. But they explained it very badly!