Hacker News new | ask | show | jobs
Yes, Ubuntu is withholding security patches for some software (flu0r1ne.net)
73 points by svc0 952 days ago
4 comments
dang 952 days ago
Related ongoing thread:

Ubuntu Pro Shenanigans - https://news.ycombinator.com/item?id=38254040 - Nov 2023 (92 comments)

link
wmf 952 days ago
Debian is looking better and better.
link
cycleslow 952 days ago
It always has. You can only convince a billionaire to hate money for so long. Mark is going to rip the rug out on everyone soon enough.
link
geokon 952 days ago
Except it doesn't really have PPAs ... which limits outside contribution and is a huge downside
link
gettodachoppa 952 days ago
What is the advantage of PPAs over an apt repo that users place in /etc/apt/sources.list.d/someexternalapp? Is it having a central site that users can search for packages? Basically a social portal?
link
vetrom 952 days ago
Having an automated per-user publishing pipeline for packages is a non trivial endeavour.

These days you can get close with github-actions style pieplines and releases, but the PPA system has always been a more complete platform in terms of dependency management.

You can get close with some debian tooling (im a fan of sbuild), but it's some overhead to deal with.

link
apple4ever 946 days ago
Agreed. I'd love to switch to Debian, but the lack of PPAs makes it difficult.

Also Debian is always much further behind than Ubuntu on new packages.

link
extraduder_ire 952 days ago
IIRC, you can still add those repos. The PPA system just makes it a little easier to add them.
link
geokon 952 days ago
it's one of those things that will probably work most of the time

PPAs are built against Ubuntu packages as dependencies - which usually but not always match Debian ones. Easy way to get subtly broken programs

link
personomas 952 days ago
Can you explain how better? A link to an example maybe
link
NikkiA 952 days ago
https://vitux.com/how-to-add-ppa-repositories-in-debian/
link
panarky 952 days ago
I'm so confused.

When I install an LTS version with a Universe package like ffmpeg, does everything continue getting security patches for the full five-year LTS life?

Or do I now need Ubuntu Pro to get the full five years?

link
svc0 952 days ago
Universe packages are not supported by Ubuntu unless you activate Ubuntu Pro. Thus, if you install ffmpeg on Ubuntu without Pro, it will contain several active vulnerabilities. The full five years only applies packages in the main repo.
link
xinayder 952 days ago
I wanted to find another reason to not use Ubuntu for servers (besides Snap being forced on everyone) and this was it.

At least, in Debian, most of the packages I use on my server are from their main repos. Occasionally there are a few from other sources but by the time a new Debian patch is released, those other packages are also updated.

link
isaacremuant 952 days ago
That's absolutely terrible and not clear at all.

I've been tempted to go back to Arch and I think this can be a good motivator.

link
diffeomorphism 952 days ago
That is also absolutely unchanged compared to "since forever". Canonical supports "main", while "universe" and "multiverse" offer best-effort community support (aka from debian). They now additionally offer a dedicated team for those repos.

Honest question, since the arch wiki seems surprisingly spotty on this: Which arch repos are covered by their security team? Just core? Or also extra? More than that? AUR surely not, right?

link
guappa 952 days ago
Not even "from debian". Sometimes they can't be bothered to copy debian packages that fix security issues if the package is in universe, and just leave it vulnerable for the entire duration of the LTS.

Happened to me.

link
svc0 952 days ago
Just to be clear, on Arch ffmpeg is outdated (6.0 vs 6.1.) This means it has three security vulnerabilities.
link
viraptor 952 days ago
It's not the case for this example of ffmpeg (it's actually not patched), but make sure to check the actual changelog. Sometimes the version is kept, but the patches are backported, so a plain version comparison is not enough.
link
panarky 952 days ago
Debian's ffmpeg is at 6.1, no subscription nonsense required.
link
charcircuit 952 days ago
Universe is supported on a "best effort" basis.

https://ubuntu.com/security/esm

link
cvccvroomvroom 952 days ago
Just stop using Ubuntu. It's bullshit with shit governance run by crazy people.

For servers, CentOS is reliable as fuck.

link
cvccvroomvroom 952 days ago
This is why I tell everyone to avoid the psychos at Canonical and use either CentOS 9 Stream, Fedora, or Debian.
link
spicyusername 952 days ago
I fear for the future of Red Hat products.

IBM isn't exactly the most trustworthy steward.

link
sonicanatidae 952 days ago
Didnt CentOS...go away or am I confusing it with another distro?
link
smegsicle 952 days ago
centos used to be 1:1 clone of rhel sans branding, ibm replaced it with rolling release 'centos stream' upstream of rhel

now we have 'rocky linux' taking the place of old downstream centos as 1:1 bug-for-bug rhel compatible (against ibm's wishes)

and 'almalinux' building a stable release on top of centos stream (ibm seems to be ok with)

link
sonicanatidae 952 days ago
Thanks for posting the details. I'll check out Rocky and Alma.
link