Hacker News new | ask | show | jobs
by captn3m0 1233 days ago
Ubuntu makes this worse by using "end-of-life" dates as End-of-ESM at various pages[0,1]. If you read that page, you'll assume all packages will be supported till EOL for all users. This is all it says about ESM:

> Extended Security Maintenance (ESM) provides security updates on Ubuntu LTS releases for additional 5 years. It is available with the Ubuntu Advantage subscription or a Free subscription.

The Pro page[2], now has a clear graphic comparing the security coverage, but this appears to be new.

[0]: https://wiki.ubuntu.com/Releases

[1]: https://ubuntu.com/about/release-cycle

[2]: https://ubuntu.com/pro
1 comments
cpncrunch 1233 days ago
Indeed. I see Ubuntu 20.04 imagemagick was updated with a security update in 2021 for free. Now, there is another update for imagemagick, but we have to pay for it.

The release cycle page (https://ubuntu.com/about/release-cycle) has no mention of any differences in updates for universe vs base packages.

The https://ubuntu.com/pro page says "best effort" for universe packages. Yet, they have an update for imagemagick, we just have to pay for the pro subscription to get it. How exactly is that "best effort"?

link
mdeslaur 1233 days ago
https://wiki.ubuntu.com/SecurityTeam/FAQ#Official%20Support
link
cpncrunch 1233 days ago
That doesn't really clarify things. It just says universe is supported by the community. Right now, we have an update for imagemagick, but we have to pay for it, whereas last year we had updates to imagemagick for free. How is that "best effort"? What they mean is, they are now putting more effort into universe, but you have to pay for the updates.

I don't mind having to pay for these updates if necessary. They should just be honest and transparent about what they are doing.

link
cpncrunch 1233 days ago
Looking into this further, I see that Ubuntu 20.04 has an identical version of imagemagick to that on Debian 10. This is a security update to imagemagick from 2020:

https://launchpad.net/debian/+source/imagemagick/8:6.9.10.23...

There are no later versions of imagemagick on ubuntu 10. So, my guess is that Ubuntu has (and will continue to) take any security updates that appear in the upstream Debian release, and add an Ubuntu Universe package for them. Now, I'm guessing, there will be additional security updates in the Universe package set for users paying for Ubuntu pro, where those packages are not available on Debian (i.e. Ubuntu themselves will package them).

If that's the case then there is nothing nefarious going on, just Canonical didn't explain it very well.

link
captn3m0 1233 days ago
DELETED, there's a bug which doesn't consider architecture into account: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-t...
link