Security updates for non-Ubuntu packages

Can someone using Ubuntu 22.04.1 LTS with an Ubuntu Pro subscription with third party packages installed in seven years time expect to have the same level of security for those packages as someone who has the latest version of Ubuntu installed in 2030?

How would we know?

If you install third-party software that does not come from the ubuntu archive, support and security must be provided by the third-party…

regarding anything from the archive, you will indeed get 10y of support as advertised


So based on what you are saying I take it that there is no point in anyone relying on third party applications subscribing to this as security updates applied to these apps by the vendors may not be available for old versions of ubunto running over 5 years…

So you are better off to just keep upgrading to the latest LTS version every 5 years to avoid trouble. Not much point in it for a lot of users out there so…

1 Like

It really depends on the third-party in the end, if you buy a mercedes but put shiny ronal sport-rims and recaro seats in it yourself, will you expect support from mercedes when your seats or rims break ahead of the 10y warranty mercedes granted you for the car ?

While there might be an opportunity to buy additional support for such specific cases from canonical in the future, this does not exist today.

… currently only software provided by canonical though the approved channels (canonical maintained snaps from the snap store, debs from the official archives (including universe now)) is supported by canonical.


Thanks for the metaphore, it really made the entire concept clear for someone who is not as familiar with the details as those who work and breath it.

It really didn’t because I was asking a question which required a simple “Yes” or “No” answer. No metaphor required (the word is metaphor not metaphore by the way). Very simple question but you chose to give your two cents worth which was thanking someone for a “metaphor” of what exactly? The man did not definitively answer the question. And the other word you are looking for is breathe not “breath”. You need to familiarise yourself with simple English before you start with your ‘familiarity’ diatribe.

Hmm, I thought I did in my last paragraph…

Have you heard of that wonderful thing called the ubuntu code of conduct? It applies to all ubuntu communication channels, including this forum… let me show you a paragraph from it…

Be respectful

We work together to resolve conflict, assume 
good intentions and do our best to act in an 
empathic fashion. We don't allow frustration to 
turn into a personal attack. A community where 
people feel uncomfortable or threatened is not a
 productive one.

Please respect our rules when posting here, attacking others for being empathic (and calling it a diatribe) or for their non-perfect knowledge of a language they did not grow up with is rather rude, please refrain from posting such stuff here…


In order to get some more use out of my laptop (Intel 32 bit) with Ubuntu 16.02 LTS (i386), I attached it to Pro and saw a chance for my first really useful use for snaps. I wanted to switch to the thunderbird snap for an up to date and security patched version.
The premisse states that the package must be maintained by Canonical:

So first I explored if Thunderbird is maintained by Canonical in the snap store (on my desktop):

$ sudo snap info thunderbird
name:      thunderbird
summary:   Mozilla Thunderbird email application
publisher: Canonical✓

Okay it seems to be published by Canonical, so far so good, now for the second part of the promise. I tried to install the Thunderbird snap on my laptop:

$ sudo snap install thunderbird
error: snap "thunderbird" is not available on stable but is available to
       install on the following channels:

       beta       snap install --beta thunderbird
       edge       snap install --edge thunderbird

       Please be mindful pre-release channels may include features not
       completely tested or implemented. Get more information with 'snap info
$ sudo snap info thunderbird
error: no snap found for "thunderbird"

Unfortunately the promise doesn’t seem to hold for Thunderbird in Ubuntu 16.02 LTS (i386).

The promise holds for thunderbird as well as any other canonical maintained snaps…

Thunderbird has only been snapped from 20.04 onwards and uses a “core20 base” for this… after 18.04 the i386 architecture has been discontinued.

It is simply not technically possible to build the thunderbird snap for i386… it is fully supported on the architectures it can be built on though…

On 16.04 i386 you should still be able to use the deb from the archive though …

I was inspired by Bert, who wrote (source):

Bert Nijhof 6 months ago edited

I do everything the Ubuntu antagonists ever disapproved off:

  1. I still run Unity as part of Ubuntu 16.04 LTS for my Banking and PayPal functions.
  2. I’m using snaps and well the latest stable Firefox and LibreOffice snaps in Ubuntu 16.04.
  3. I use Ubuntu Pro for free to extend the life of Ubuntu 16.04 to Apr 2026 :slightly_smiling_face:

It seems it holds for 64bit hardware, but unfortunately not for 32 bit. (It’s the second time that I’m forced to abandon Ubuntu on aging but still viable hardware.)

Yes, this is a sad truth, but there is not much we can do about i.e. Linus (and the kernel security people) upstream making no attempts to fix things like meltdown or spectre in the kernel for i386 ever… or the fact that many other upstreams abandoned supporting i386 for their applications… keeping it alive downstream in a secure manner is simply a to expensive effort…

there were excessive discussions around it on the ubuntu-devel mailing list before the decision has been made, it is what it is…

Firstly I refer to your initial response to my question where you state: “How would we know?”. That was your answer.

Secondly I wasn’t referring to software supported by Cannonical I was specifically referring to third party software security updates and if we could expect that software to be maintained to the same standard within PRO as it would be in a current Ubuntu release.

Thirdly respect and codes of conduct goes both ways. The ‘familiarity’ jibe from luvpogl was disrespectful to me. You call that empathy? Seriously? I call it insulting. I have been using Ubuntu long enough now. I am very familiar with it.

And here I can again just say “how would we know?”, we do not have any control about any third party software outside of the ubuntu archive , be it in some ppa, be it some binary installer from some website or whatever else…

the only thing canonical has control over is the archive and the few snap packages that are owned by canonical in the snap store… for all these you can indeed expect full security support in the form of regular CVE fixes (but I think this is pretty clear anyway).

Pro extends the CVE fixing to all universe packages in the archive, this is all… if there is a package in universe that receives CVE fixes via the MOTU or its upstream developer (probably a few handful out of the 20k+ packages today), that security support will indeed go on as is.

Wow, so a spectating person reading along that thanked me for summarizing the topic in a way that that person understands it better now is an insult to you ?

He was not even talking to (or about) you, how can that insult you and drive you to such a harsh reply?

So your answer is: “How would we know?” You answered a question with a question. Hardly definitive… The definitve response would be that you simply do not know. You went on to talk about Canonical and cars and their accessories but you did not definitively answer the question.

The spectating person was clearly referring to me (in the absence of any clarification) when he made his response. If he was talking about himself well then why not refer to himself in the first person rather than “someone”. Why did he not respond and clearly state that he was talking about himself?

Finally the answer to the question I posed is: “NO”. I got the definitive answer to my question elsewhere.

Right, the definitive answer is that Canonical can not give security support for software it does not provide to you and that you downloaded from some obscure place on the web … which IMHO is a pretty logical thing anyway… (how would canonical even know what you downloaded from where and how would you imagine it adds security fixes to such a thing it has no knowledge or control about)

I’m not sure where you can even remotely read an attack against yourself into the words of luvpogl, to me it was pretty clear he is talking about himself (and I bet for most other readers in here too) and again, not everyone is an English grammar God. Writing in an international forum you should really be aware of that and be a bit more graceful and a little less angry in your reactions…

Thanks for your explanation. You’re right, I reviewed the current Ubuntu status.
It is still unknown to me if my old machine is vulnerable to the spectre and / or meldown bugs. I never found my processor on the vulnerability list.
I wrote to the system manufacturer and cpu manufacturer, but didn’t get any answers back.

Even for brand new processors it is unclear to me if they are vulnerable to spectre and / or meltdown?
As I understand it, the processor manufacturers should fundamentally fix the vulnerabilities, but that required fundamental changes to their architectures.
I have never seen any statement that they did.

And then things went silent…

Might you know why a snap cant be built? I do see current (version 102) Linux 32 bit builds being available for individual download at
A snap has all its dependencies onboard, doesn’t it? So why can’t a snap be built?

To build a snap you will need at least a minimal root filesystem of that architecture… there is not enough i386 packages left in the archive to assemble such a filesystem…

A snap can indeed have all its dependencies on board (as much as it can use shared dependencies (I.e. see the gnome extension that most snaps use to share all desktop libraries))… but to put them there, they need to come from somewhere…

It would be technically not impossible to build it or even set up a cross build environment for it, but it would be non-trivial manual work for each single build of that architecture…

@ogra Thanks for your insight about the unability to build TB and FF snaps because of the missing i386 packages left in the archive.

I was about to give up on having a current FF and TB on 16.04 LTS 32 bit. And to give up on Xenial all together and also lose the guest-account feature that was broken after 16.04. In Xenial TB and FF did get ESM security patches, but the versions were stuck at TB v68 and FF v88. For FF sync and TB shared IMAP folders and shared Calendars, the versions of the synced devices shouldn’t be apart too much. Effectively still rendering FF and TB obsolete.

Then I stumbled upon this article about adding a PPA to unattended-upgrades .
It mentions a PPA that does offer current TB and FF builds even for Xenial (16.04 LTS) i386 (32 bit) Ubuntu. I tried it and it works!
I now have the latest versions running on Xenial 32 bit (i386):

I’m planning to switch to the firefox-esr build for stability reasons, that’s also in the same PPA.

I’d like to thank the folks that are maintaining the PPA at for keeping 16.04 viable and from abandoning Ubuntu on my aging, but working hardware.