Ubuntu Pro - FAQ

This document was prepared in collaboration with Ubuntu community leads.

Executive summary

Your Ubuntu LTS is still secured in exactly the same way it has always been, with five years of free security updates for the ‘main’ packages in the distribution, and best-effort security coverage for everything else. This has been the promise of Ubuntu since our first LTS in 2006, and remains exactly the same. In fact, thanks to our expanded security team, your LTS is better secured today than ever before, even without Ubuntu Pro.

Ubuntu Pro is an additional stream of security updates and packages that meet compliance requirements such as FIPS or HIPAA, on top of an Ubuntu LTS. Ubuntu Pro was launched in public beta on 5 October, 2022, and moved to general availability on 26 January, 2023. Ubuntu Pro provides an SLA for security fixes for the entire distribution (‘main and universe’ packages) for ten years, with extensions for industrial use cases.

Ubuntu Pro helps large enterprises empower their developers to use anything in Ubuntu with confidence, knowing it will be secured for ten years. We created the product for some specific customers and are now making it widely available. We price Ubuntu Pro to make it extremely cost-effective for companies to adopt widely - for example, on the public cloud we price Ubuntu Pro at on average 3-4% of the cost of the VM it is running on. Our goal is to make it easy for a CISO to be confident letting all their developers use Ubuntu, anywhere, at low cost.

As part of our global mission to amplify the impact of free software, we offer a free personal subscription to Ubuntu Pro that covers up to 5 machines, or 50 machines for active Ubuntu community members.

Is Ubuntu still free?

Yes, the Ubuntu LTS and interim release support still work exactly the same with the same set of promises, bug fixes – and crucially, the same scope of security updates for both ‘Main’ and ‘Universe’ packages.

Ubuntu Pro is free for personal use. It offers the full suite of Ubuntu Pro capabilities for you – and any business you own – on up to 5 machines.

The extraordinary range of security updates in Ubuntu Pro is funded by large-scale, commercial users. Their subscriptions to Ubuntu Pro enable us to offer this service free of charge to personal users who might have their own, or family, or small business needs which we are glad to support as part of our mission and social impact. There are discount programs for specific use-cases, such as research, education, and academia.

What’s the difference between Ubuntu Main and Universe repositories?

The tens of thousands of Ubuntu packages are organised into a set of repositories.

‘Main’ is the set of packages that we identified as our focus when we launched Ubuntu - they are packages that are either installed on every machine, or very widely used for all kinds of deployments, from desktop to cloud. When we launched Ubuntu LTS, we made a commitment to security-support these packages and their dependencies in ‘Main’ for five years, free of charge. There were initially about 1,000 packages in ‘Main’, and today that number has grown to about 2,300 per Ubuntu release.

The ‘Universe’ repository holds all of the other open source packages in Ubuntu, from Debian and the Ubuntu community. Universe is a much bigger repository of over 23,000 packages per release. Historically those packages came with no security maintenance commitment from Canonical. Nevertheless Canonical and the Ubuntu community provided best-effort maintenance for those packages. With the launch of Ubuntu Pro, all of the packages of Ubuntu Universe get the same security maintenance commitment from Canonical as packages in Ubuntu Main.

How can I find out if the packages I am using are coming from Ubuntu Main or Universe?

Run pro security-status in the terminal to find that information. See an example below.

What are esm-apps and esm-infra?

Ubuntu Pro is a broad subscription that includes many different variations of open source packages to meet different needs. You are unlikely to want to use them all at the same time, so you can select the precise stream of updates and versions to apply on any given machine covered by your Pro subscription. For example, Pro includes a set of package versions that are compliant with FIPS regulations. You would want these versions only on machines that need to meet FIPS requirements, so you can choose to enable that stream specifically on those machines.

There are two streams which cover broad-based package security updates; we label these “apps” and “infra”. The “esm-apps” stream covers all ‘Universe’ packages for ten years from the release of the LTS. The “esm-infra” stream covers ‘Main’ packages for the period after the standard five year security maintenance of ‘Main’ packages ends. We call this ‘infra’ because it is commonly used to build our private cloud, storage and kubernetes clusters, where ‘Universe’ packages are not typically deployed. You can get a lower-cost Ubuntu Pro (infra-only) subscription if you only want the infra components, which equates to our original ESM offering.

What if I don’t want to opt-in to Ubuntu Pro? Will I stop receiving security updates for my Ubuntu LTS?

No, nothing has changed with Ubuntu LTS. It still delivers standard security updates for the Ubuntu Main repository for 5 years, and best-effort fixes for ‘Universe’ packages. The best-effort fixes for ‘Universe’ include all fixes provided by the Ubuntu community and Debian.

Canonical did not previously have the resources to guarantee security updates for the packages in the ‘Universe’ repository, which is a much larger collection of packages than any other enterprise Linux provides. Thanks to our larger customers we were able to grow our security coverage, and make Ubuntu Pro generally available with the broadest open source security commitment in the world on 26 January 2023.

If you decide to opt-in to Ubuntu Pro with either a free personal subscription or an enterprise subscription, you will get more security updates than ever before. If you don’t opt-in then there is no loss, you can continue using Ubuntu LTS without the Pro subscription as you always did.

Do I need Ubuntu Pro if I am running the latest Ubuntu LTS?

You don’t have to opt-in, but Ubuntu Pro can provide you with more security updates, even on the latest LTS. Furthermore Ubuntu Pro is free for many users and the only thing you need to do is to register with your email address.

That said, if you decide not to opt-in, you can continue using Ubuntu LTS with no changes to the level of security it has been receiving. Ubuntu Pro adds longer lifetime, more security and compliance, but it doesn’t take anything away from Ubuntu LTS.

Will all vulnerabilities get fixed?

Ubuntu Security Team prioritises critical and high CVEs. They will also tackle selected medium CVEs. For customers with specific compliance requirements, Canonical allows enterprise customers to sponsor additional patches up to medium CVEs for a selected subset of packages and their dependencies.

Canonical doesn’t withhold those commercially “sponsored” security updates. Over the last several years Canonical secured more and more Universe Packages via such enterprise customer engagements and expanded the security team to now cover the full set of packages in ‘Universe’. Therefore, a growing portfolio of security updates is already available to Ubuntu Pro users.

Why do I get notified now that there are packages that need security updates?

The APT command-line interface and desktop Software Updater GUI have always listed updates available for packages installed on your machine. We continue to do that, showing updates that are immediately installable, as well as updates that are available with an Ubuntu Pro subscription. These would be updates for packages in ‘Main’ after the standard five year period, or ‘Universe’ updates that are not in the the best-effort or community-provided set.

With the GA release of Ubuntu Pro on 26 January 2023 we started publishing Ubuntu Security Notices (USNs) for packages in the ‘Universe’ repository, so that enterprise customers have the data they need to meet audit and compliance requirements and assess their own security coverage.

If you only install packages from the Main repository, or if there are no security fixes available for the software that you’re using from the ‘Universe’ repository - you will not see “Ubuntu Pro” updates in your APT CLI or the Software Updater GUI. The message is only displayed when you are using packages for which there are security fixes in Ubuntu Pro, and it gives you the exact list of packages that are affected on your system.

How can you ensure 10 years of security fixes for versions that are not maintained by the upstream anymore?

Long Term Support (LTS) is a term that we coined with the first Ubuntu LTS in 2006! The Canonical Security Team backports security fixes to the package versions that an Ubuntu LTS release shipped with. We take care to avoid changes in ABI where possible, so that people gain security updates without other changes in behaviour.

This approach ensures 10 years API stability & security with no mandatory upgrades to newer versions of the applications. We contribute to upstream security fixes in current development versions of applications, but for long term maintenance we go well beyond what the upstream community provides. We do that for the entire collection of packages in Ubuntu, which is a MUCH larger surface area of coverage than any other enterprise Linux distribution.

Is Ubuntu Pro about putting important security patches behind some kind of paywall?

Ubuntu LTS security updates are unchanged - we have not in any way reduced our free security support coverage for either ‘Main or Universe’ packages. An Ubuntu Pro subscription offers additional security patches, which Ubuntu LTS has never provided before. Nothing changes about what’s been provided as part of Ubuntu LTS.

New patches provided by Canonical to Ubuntu Pro subscribers cover the ‘Universe’ repository (for 10 years) and the ‘Main’ repository (for 5 additional years after 5 years’ of free standard support which comes without any subscription required). This doesn’t impact security fixes provided by the Ubuntu Community, or by Canonical as we have always had a policy of best-effort fixes in ‘Universe’.

Companies using Ubuntu at large scale who want the additional benefits of Ubuntu Pro can try a free, one-month Ubuntu Pro subscription directly from the Ubuntu shop, or from the public cloud marketplace (AWS, Azure, Google). The pricing for Ubuntu Pro is simple and transparent.

Can I disable Ubuntu Pro notifications?

Yes, you can disable system awareness of Ubuntu Pro security updates as well as the APT news feed that provides an overview of current issues.

Ubuntu Pro security update information is managed by APT hooks described in the official documentation. The relevant config file is /etc/apt/apt.conf.d/20apt-esm-hook.conf and you can comment lines out to remove that source of information.

APT news shows up in the APT CLI and will soon be added to the Software Updater GUI, to help people understand the nature of recent updates and inform their decisions about when to apply them. You can switch apt-news off/on by sudo pro config set apt_news=false command.

Why am I seeing updates for ARM if the update is only relevant for another architecture?

This is a known bug and the team is working to fix it so that you’ll only see updates that are actually available to your machine. ARM is fully supported with Ubuntu Pro, starting with Ubuntu 18.04 LTS.

Where can I find more details about how to use Ubuntu Pro?

Our documentation site is continuously updated with information on how to use the Ubuntu Pro client. For a quick getting started guide, follow our tutorial.

What can I do if I have more questions?

Please, raise your questions underneath. I will make sure that this FAQ stays alive

22 Likes

A post was split to a new topic: Remove Pro advertising from Apt

Reason: Not a question about Pro or Pro documentation. Opinions are welcome in opinion topics.

Our organization uses a “flavor,” specifically UbuntuMATE LTS. How does Pro support interact with the LTS support for the flavors–especially since support period for some portions of these is 3 years instead of five?

5 Likes

Hello there,
the documentation (https://ubuntu.com/legal/ubuntu-pro-description) mentions that its possible to use a physical host license to license virtual machines that run on a supported hypervisor and that those would all be covered using the same license. I would like to understand how I can license guest Ubuntu VMs running on Proxmox in KVM. Sadly I could not find any kind of documentation on how to apply Ubuntu pro licenses to virtual machines running on anykind of hypervisor. And would this work with the free license?

6 Likes

The service description contains this explanation for the Desktop subscription:

A subscription limited to Desktop use-cases. It covers packages in the base Ubuntu desktop image as well as packages necessary for basic network authentication and connectivity using sssd, winbind, network-manager, and network-manager plugin.

What exactly does “limited to Desktop use cases” mean? Does it really cover only the mentioned packages, or does it also include the full set of packages in Universe? From the Pricing page it looks like the latter, but nowhere else I could find an explicit list of differences between Desktop and Server.

Please provide a clear list of differences between the Desktop and Server subscriptions and any relevant requirements. For example, an open question is whether I would be allowed to use a Desktop subscription on a rack-mount machine.

3 Likes

4 posts were split to a new topic: Security updates for non-Ubuntu packages

There are well written instructions to ATTACH a machine to my free Ubuntu Pro subscription token. However, it seems logical that the instructions to reverse the process ( DETACH a machine ) should also be available. I’ve searched everywhere, but I couldn’t find anything. I frequently uninstall and then reinstall Ubuntu flavors, such as Xubuntu and so on. If I don’t DETACH a machine before wiping out the installation instance, wouldn’t that mean I’ll run out of my 5 free ATTACHed machines pretty quickly? I’m not sure how to handle this! Please make it a part of the FAQ, if you wish. Thank you.

5 Likes

Community flavours are maintained by the community, not Canonical.

Ubuntu LTS gets security maintenance for Ubuntu Main for 5 years from Canonical, and community maintenance for the Universe.

With Ubuntu Pro subscription both Main and Universe are security maintained by Canonical for 10 years. You can also add 24/7 enterprise-grade phone/ticket support.

3 Likes

Hey!

The free license works for up to 5 machines (can be 5 VMs) and is limited to personal and small-scale commercial use. For details, check the Ubuntu Pro Personal - terms of service, but the unlimited VMs offer doesn’t apply here.

Paid licenses can benefit from unlimited VMs if:
(1) all physical nodes are covered,
(2) you’re running on a “covered hypervisor” (any of: KVM | Qemu | Boch, VMWare ESXi, LXD | LXC, Xen, Hyper-V (WSL, Multipass), VirtualBox, z/VM, Docker.)

You will receive a token to attach an Ubuntu Pro subscription to your machines. The token is the same for each machine you attach to a single subscription. Check this tutorial to find out how to obtain a token and attach a subscription to your Ubuntu machines.

On the commecial note, let’s say you have 50 physical machines. Then, if you buy 50 x Ubuntu Pro subscription, you can attach the token to 50 physical machines and an unlimited number of VMs running on top of those machines.

hope it helps!

1 Like

Hey!

We are very proud to see many organisations moving to Ubuntu Desktop, which continues to be the preferred Linux OS for experienced developers. Thanks to features such as AD integration, developers find it easier than ever to use Ubuntu officially in their workplace.

As you know technically Ubuntu Desktop is an Ubuntu Server with the GUI, and you can install it on your rack-mount server machine in the datacenter. That’s why, in the service description, we specifically called out “a desktop use-case”.

The easiest way to test if Ubuntu Pro Desktop is applicable is by asking 2 questions:

  • is there a human in front of the screen, or can the machine run “on its own”?
  • is the software installed on this machine typical for desktop use-cases, or is it something typical for servers?

Therefore, if you run a server use-case you should buy the servcer subscription, because our support will be limited to the desktop use-cases.

hope it helps!

1 Like

Thank you, that’s a great question.

Technically, you can detach a subscription, same way you attach it. simply use ‘sudo pro detach’ command.

That said, it’s possible that you’d get rid of a VM without detaching a subscription. Then, you might struggle to find a way to detach it.

This is why we don’t prevent you from attaching more machines than the number of entitlements you have (either free or paid). Instead, we monitor how many active machines you have at any given moment. In other words, you should ensure that the number of active machines does not go over the limit.

4 Likes

Thank you for your response. It would be great if you could answer a few more clarification questions:

  • Do the terms of service forbid using Ubuntu Pro Desktop for non-desktop use cases (e.g., a web server), or is it just not recommended? (I.e., is the “should” in your last sentence actually a “must”?)
  • Is the set of packages that receives security updates the same for Ubuntu Pro Desktop and Ubuntu Pro Server, or does Desktop receive less updates?
  • Does the restriction “our support will be limited to the desktop use-cases” of Ubuntu Pro Desktop has any further effect if I buy the Ubuntu Pro Desktop without support, i.e., where I would not get support anyway?
1 Like

Hi Philipp,

Using Ubuntu Pro Desktop on non-desktop use cases would violate the terms of service and is not allowed.

Security patches are the same for Ubuntu Pro, whether running a desktop or a server.

I hope it helps!

3 Likes

5 posts were split to a new topic: Pro on Non-Ubuntu Systems

Thanks for clarification. :+1:t4:

Good Morning,

is this correct?

If there are 10 physical Hypervisor Hosts in a cluster and we use anti-affinity-rules so that the VMs can only be moved between 2 pysical hosts of the 10 hosts cluster, then we only need 2 licenses for unlimited Ubuntu 18.04 Guests on those 2 physical hosts?

1 Like

FYI: I can’t finish the order form, the button is inactive even though there are no errors in the form and the captcha is solved. I am using the latest version of chrome, no proxy.

2 Likes

Just one box to check-mark left.

Hi, thanks for posting! There was an issue discovered with this button which we’re in the process of fixing and it should be resolved by next week.

The main cause of this problem is the information entered into section 1 of the form not being saved. This then blocks the button and makes it un-clickable.

To solve it, please can you check that the information has been saved in the earlier sections. If it hasn’t saved, please re-enter any missing information and save it, and you should then be able to submit the form without any problems.

If you’re using Ubuntu on 10 Hypervisor Hosts, then it should be 10 licenses, even if not all Guest VMs are Ubuntu VMs. If you only use Ubuntu Guests VMs on 2 physical hosts in your cluster, then it should be 2 licenses, as you suggested.

1 Like