This document was prepared in collaboration with Ubuntu community leads.
Executive summary
Your Ubuntu LTS is still secured in exactly the same way it has always been, with five years of free security updates for the ‘main’ packages in the distribution, and best-effort security coverage for everything else. This has been the promise of Ubuntu since our first LTS in 2006, and remains exactly the same. In fact, thanks to our expanded security team, your LTS is better secured today than ever before, even without Ubuntu Pro.
Ubuntu Pro is an additional stream of security updates and packages that meet compliance requirements such as FIPS or HIPAA, on top of an Ubuntu LTS. Ubuntu Pro was launched in public beta on 5 October, 2022, and moved to general availability on 26 January, 2023. Ubuntu Pro provides an SLA for security fixes for the entire distribution (‘main and universe’ packages) for ten years, with extensions for industrial use cases.
Ubuntu Pro helps large enterprises empower their developers to use anything in Ubuntu with confidence, knowing it will be secured for ten years. We created the product for some specific customers and are now making it widely available. We price Ubuntu Pro to make it extremely cost-effective for companies to adopt widely - for example, on the public cloud we price Ubuntu Pro at on average 3-4% of the cost of the VM it is running on. Our goal is to make it easy for a CISO to be confident letting all their developers use Ubuntu, anywhere, at low cost.
As part of our global mission to amplify the impact of free software, we offer a free personal subscription to Ubuntu Pro that covers up to 5 machines, or 50 machines for active Ubuntu community members.
Is Ubuntu still free?
Yes, the Ubuntu LTS and interim release support still work exactly the same with the same set of promises, bug fixes – and crucially, the same scope of security updates for both ‘Main’ and ‘Universe’ packages.
Ubuntu Pro is free for personal use. It offers the full suite of Ubuntu Pro capabilities for you – and any business you own – on up to 5 physical machines with unlimited VMs and/or containers you can run on top.
The extraordinary range of security updates in Ubuntu Pro is funded by large-scale, commercial users. Their subscriptions to Ubuntu Pro enable us to offer this service free of charge to personal users who might have their own, or family, or small business needs which we are glad to support as part of our mission and social impact. There are discount programs for specific use-cases, such as research, education, and academia.
What’s the difference between Ubuntu Main and Universe repositories?
The tens of thousands of Ubuntu packages are organised into a set of repositories.
‘Main’ is the set of packages that we identified as our focus when we launched Ubuntu - they are packages that are either installed on every machine, or very widely used for all kinds of deployments, from desktop to cloud. When we launched Ubuntu LTS, we made a commitment to security-support these packages and their dependencies in ‘Main’ for five years, free of charge. There were initially about 1,000 packages in ‘Main’, and today that number has grown to about 2,300 per Ubuntu release.
The ‘Universe’ repository holds all of the other open source packages in Ubuntu, from Debian and the Ubuntu community. Universe is a much bigger repository of over 23,000 packages per release. Historically those packages came with no security maintenance commitment from Canonical. Nevertheless Canonical and the Ubuntu community provided best-effort maintenance for those packages. With the launch of Ubuntu Pro, all of the packages of Ubuntu Universe get the same security maintenance commitment from Canonical as packages in Ubuntu Main.
How can I find out if the packages I am using are coming from Ubuntu Main or Universe?
Run pro security-status
in the terminal to find that information. See an example below.
What are esm-apps and esm-infra?
Ubuntu Pro is a broad subscription that includes many different variations of open source packages to meet different needs. You are unlikely to want to use them all at the same time, so you can select the precise stream of updates and versions to apply on any given machine covered by your Pro subscription. For example, Pro includes a set of package versions that are compliant with FIPS regulations. You would want these versions only on machines that need to meet FIPS requirements, so you can choose to enable that stream specifically on those machines.
There are two streams which cover broad-based package security updates; we label these “apps” and “infra”. The “esm-apps” stream covers all ‘Universe’ packages for ten years from the release of the LTS. The “esm-infra” stream covers ‘Main’ packages for the period after the standard five year security maintenance of ‘Main’ packages ends. We call this ‘infra’ because it is commonly used to build our private cloud, storage and kubernetes clusters, where ‘Universe’ packages are not typically deployed. You can get a lower-cost Ubuntu Pro (infra-only) subscription if you only want the infra components, which equates to our original ESM offering.
What if I don’t want to opt-in to Ubuntu Pro? Will I stop receiving security updates for my Ubuntu LTS?
No, nothing has changed with Ubuntu LTS. It still delivers standard security updates for the Ubuntu Main repository for 5 years, and best-effort fixes for ‘Universe’ packages. The best-effort fixes for ‘Universe’ include all fixes provided by the Ubuntu community and Debian.
Canonical did not previously have the resources to guarantee security updates for the packages in the ‘Universe’ repository, which is a much larger collection of packages than any other enterprise Linux provides. Thanks to our larger customers we were able to grow our security coverage, and make Ubuntu Pro generally available with the broadest open source security commitment in the world on 26 January 2023.
If you decide to opt-in to Ubuntu Pro with either a free personal subscription or an enterprise subscription, you will get more security updates than ever before. If you don’t opt-in then there is no loss, you can continue using Ubuntu LTS without the Pro subscription as you always did.
Do I need Ubuntu Pro if I am running the latest Ubuntu LTS?
You don’t have to opt-in, but Ubuntu Pro can provide you with more security updates, even on the latest LTS. Furthermore Ubuntu Pro is free for many users and the only thing you need to do is to register with your email address.
That said, if you decide not to opt-in, you can continue using Ubuntu LTS with no changes to the level of security it has been receiving. Ubuntu Pro adds longer lifetime, more security and compliance, but it doesn’t take anything away from Ubuntu LTS.
Will all vulnerabilities get fixed?
Ubuntu Security Team prioritises critical and high CVEs. They will also tackle selected medium CVEs. For customers with specific compliance requirements, Canonical allows enterprise customers to sponsor additional patches up to medium CVEs for a selected subset of packages and their dependencies.
Canonical doesn’t withhold those commercially “sponsored” security updates. Over the last several years Canonical secured more and more Universe Packages via such enterprise customer engagements and expanded the security team to now cover the full set of packages in ‘Universe’. Therefore, a growing portfolio of security updates is already available to Ubuntu Pro users.
Why do I get notified now that there are packages that need security updates?
The APT command-line interface and desktop Software Updater GUI have always listed updates available for packages installed on your machine. We continue to do that, showing updates that are immediately installable, as well as updates that are available with an Ubuntu Pro subscription. These would be updates for packages in ‘Main’ after the standard five year period, or ‘Universe’ updates that are not in the the best-effort or community-provided set.
With the GA release of Ubuntu Pro on 26 January 2023 we started publishing Ubuntu Security Notices (USNs) for packages in the ‘Universe’ repository, so that enterprise customers have the data they need to meet audit and compliance requirements and assess their own security coverage.
If you only install packages from the Main repository, or if there are no security fixes available for the software that you’re using from the ‘Universe’ repository - you will not see “Ubuntu Pro” updates in your APT CLI or the Software Updater GUI. The message is only displayed when you are using packages for which there are security fixes in Ubuntu Pro, and it gives you the exact list of packages that are affected on your system.
How can you ensure 10 years of security fixes for versions that are not maintained by the upstream anymore?
Long Term Support (LTS) is a term that we coined with the first Ubuntu LTS in 2006! The Canonical Security Team backports security fixes to the package versions that an Ubuntu LTS release shipped with. We take care to avoid changes in ABI where possible, so that people gain security updates without other changes in behaviour.
This approach ensures 10 years API stability & security with no mandatory upgrades to newer versions of the applications. We contribute to upstream security fixes in current development versions of applications, but for long term maintenance we go well beyond what the upstream community provides. We do that for the entire collection of packages in Ubuntu, which is a MUCH larger surface area of coverage than any other enterprise Linux distribution.
Is Ubuntu Pro about putting important security patches behind some kind of paywall?
Ubuntu LTS security updates are unchanged - we have not in any way reduced our free security support coverage for either ‘Main or Universe’ packages. An Ubuntu Pro subscription offers additional security patches, which Ubuntu LTS has never provided before. Nothing changes about what’s been provided as part of Ubuntu LTS.
New patches provided by Canonical to Ubuntu Pro subscribers cover the ‘Universe’ repository (for 10 years) and the ‘Main’ repository (for 5 additional years after 5 years’ of free standard support which comes without any subscription required). This doesn’t impact security fixes provided by the Ubuntu Community, or by Canonical as we have always had a policy of best-effort fixes in ‘Universe’.
Companies using Ubuntu at large scale who want the additional benefits of Ubuntu Pro can try a free, one-month Ubuntu Pro subscription directly from the Ubuntu shop, or from the public cloud marketplace (AWS, Azure, Google). The pricing for Ubuntu Pro is simple and transparent.
Can I disable Ubuntu Pro notifications?
Yes, you can disable system awareness of Ubuntu Pro security updates as well as the APT news feed that provides an overview of current issues.
Ubuntu Pro security update information is managed by APT hooks described in the official documentation. The relevant config file is /etc/apt/apt.conf.d/20apt-esm-hook.conf and you can comment lines out to remove that source of information.
APT news shows up in the APT CLI and will soon be added to the Software Updater GUI, to help people understand the nature of recent updates and inform their decisions about when to apply them. You can switch apt-news off/on by sudo pro config set apt_news=false
command.
Why am I seeing updates for ARM if the update is only relevant for another architecture?
This is a known bug and the team is working to fix it so that you’ll only see updates that are actually available to your machine. ARM is fully supported with Ubuntu Pro, starting with Ubuntu 18.04 LTS.
Where can I find more details about how to use Ubuntu Pro?
Our documentation site is continuously updated with information on how to use the Ubuntu Pro client. For a quick getting started guide, follow our tutorial.
What can I do if I have more questions?
Please, raise your questions underneath. I will make sure that this FAQ stays alive