[failsecure]

I think this discourse comment by a Canonical employee should be read by everyone before making a judgement. It's really easy to make assumptions as an end user, myself included.

https://discourse.ubuntu.com/t/why-is-extended-security-main...

``` Canonical has never provided security updates for universe packages until this week, so nothing has changed for you if you decide to simply ignore the message ```

[josephcsible]

> Canonical has never provided security updates for universe packages until this week

Is that true, though? Until now, wasn't it just that they weren't guaranteed? Didn't Canonical make security patches available in universe on a "best-effort" basis, or at least say they did?

[failsecure]

I'm not sure as I've never followed how OSS projects get patched w.r.t security in particular. I've always groaned at my employer for running EOL operating systems and tell them about upgrading to a supported OS to prevent getting into this type of situation.

My reasoning was that if we were running a supported version of $oss_project then we'd get security updated naturally.

[voakbasda]

That seems deliberately misleading. They may not have “provided” security updates, but they did “distribute” them when they were provided by community package maintainers.

[failsecure]

The way I interpret that paragraph is that now with an additional revenue stream (Pro/ESM) they can develop security patches and only subscribers will get them. I think their attempt to get the conversation started (putting ambiguous sentences inside of apt) has back fired however.

[voakbasda]

Without a more granular solution in apt, this seems to require Ubuntu to halt the practice of allowing maintainers to provide their own updates for those packages. In other words, they seem to be taking away the community maintainers ability to provide updates for those packages. I am not sure how they can claim nothing is being lost here.