Why is Extended Security Maintenance needed for apps in Ubuntu 20.04.x LTS in 2021?

nio-wiklund · December 20, 2021, 6:28pm

After reading this link (and the following posts) I checked in my computer.

tester@lenovo-v130:~$ ubuntu-security-status 
1832 packages installed, of which:
1673 receive package updates with LTS until 4/2025
 152 could receive security updates with ESM Apps until 4/2030
   7 packages are from third parties

Packages from third parties are not provided by the official Ubuntu
archive, for example packages from Personal Package Archives in
Launchpad.
For more information on the packages, run 'ubuntu-security-status
--thirdparty'.

Enable Extended Security Maintenance (ESM Apps) to get 10 security
updates (so far) and enable coverage of 152 packages.

This machine is not attached to an Ubuntu Advantage subscription.
See https://ubuntu.com/advantage
tester@lenovo-v130:~$

Questions

Why is Extended Maintenance needed for apps in Ubuntu 20.04.x LTS in 2021?
Which are those 10 security updates that need ESM? Is there a link where they are listed?
Where are the 152 packages (that need ESM) listed?

oSoMoN · December 20, 2021, 7:17pm

This sounds like a misleading, incorrect message. ESM wouldn’t be needed (or even enabled) until 20.04 is EOL, in 2025. Can you file a bug issuing the following command: ubuntu-bug update-manager-core ?

More info on the packages covered by ESM is available on the following wiki page: https://wiki.ubuntu.com/SecurityTeam/ESM.

nio-wiklund · December 21, 2021, 9:11am

Here is the bug report:

Please add heat by clicking on the bug report’s ‘Affects me too’ button (if it affects you).

nio-wiklund · December 21, 2021, 9:43am

The bug report was declared invalid, so we are back to where we started

So again, which packages in Ubuntu 2021 need ESM to be upgraded during 2021? Until [re]solved, several people are suspecting that there is a security hole here.

nio-wiklund · December 21, 2021, 9:36am

The bug report was refused. What to do next?

oSoMoN · December 21, 2021, 9:52am

See my last comment on the bug. Julian suggested to continue the conversation here, which sounds reasonable. Note that a lot of people are on holidays now, so don’t expect an answer until the new year.

nio-wiklund · December 21, 2021, 9:57am

@oSoMoN, I’m looking forward to cooperating with you after the holiday season …

jaime-cruz · December 21, 2021, 11:45am

Just saw this and ran “ubuntu-security-status” on my 20.04.3 system. Seeing the same result so I’m going to follow this thread to see what’s going on.

bernard010 · December 22, 2021, 3:49am

Ubuntu 20.04.3 LTS Focal Fossa Changes August 26, 2021 April 2025 April 2030
ESM will start after April 2025.
All security Updates will be through your regular updates prior to 2025.
The 10 security updates are through your regular updates.
The 152 packages that will need ESM in 2025 is True. For now is covered through your regular updates until then in 2025.

nio-wiklund · December 22, 2021, 8:09am

I wish, hope and think that you are right - but want it confirmed by an Ubuntu ‘insider’.
The text printed by ubuntu-security-status should describe the real situation and be understood by normal end users (many of us are not very good at English, so we need straightforward expressions).

juliank · January 4, 2022, 7:01pm

The message is correct insofar as several updates are available in the ESM Apps repository (as you can see yourself by looking at the Packages file). It will start making sense once ESM Apps has been launched. We are investigating some improvements to the messaging.

In the meantime, I hope it suffices to say that there is no accident where regular security updates were pushed in the wrong repository or a reduction in security support for packages: Packages in main get security support, packages in universe and multiverse still do not have support, but may get community contributed security updates.

renanrodrigo · January 14, 2022, 2:26pm

Hello all,
I sent a patch to the bug that hides the information about ESM-Apps while it is in beta state unless the user has explicitly enabled it.
This matches the behavior that UA Client has about the updates.

Please let me know if it is acceptable, or if there is anything else we can do to help.

tron · September 26, 2022, 11:14am

Hi, not sure if this is open, but I received a simmilar message in a recently updated to 22.04 server:

$ ubuntu-security-status
1574 packages installed, of which:
1189 receive package updates with LTS until 4/2027
348 could receive security updates with ESM Apps until 4/2032
14 packages are from third parties
23 packages are no longer available for download

Been reading, some ubuntu pro pages go 404, but attached the server with a free for personal use token and still:

$ sudo ua enable esm-apps
One moment, checking your subscription first
This subscription is not entitled to Ubuntu Pro: ESM Apps

All of which would I would not care that much if I was not reminded at every login:

6 additional security updates can be applied with UA Apps: ESM
Learn more about enabling UA Apps: ESM service at https://ubuntu.com/esm

renan.rodrigo · September 26, 2022, 12:40pm

Hello - which version of ubuntu-advantage-tools is installed (ua --version)? Is it installed from -proposed?

renan.rodrigo · September 26, 2022, 12:48pm

I mean, if this is the case (-proposed enabled, ubuntu-advantage-tools is version 27.11~22.04.1) then that’s about it - this version will only hit the archive once everything else is aligned for the services to work (including esm-apps going out of beta, and thus generating proper output for security-status).

By the time that happens, any pages that are 404ing will be there, and your token will be entitled to esm-apps so it will be possible to enable it.

tron · September 26, 2022, 2:16pm

Your first question:

$ ua --version
27.11~22.04.1

Your second thoughts might be true, but I don’t remember doing anything to be using some beta, so standard user (me ?) gets involved in confusing state …

renan.rodrigo · September 26, 2022, 2:39pm

Yes, you are correct - nothing was done our side to enforce the beta for any user as well.

However, this version of ubuntu-advantage-tools from -proposed is the one bringing the Service to a non-beta state, thus making it generally available. The thing is that didn’t fully happen yet in the backends - and this version will only hit the archive (and be available to all users) once everything is in place.

Another thing to keep in mind is that we don’t expect standard users to have -proposed enabled. Packages there may be broken or in inconsistent state, and are mainly available for pre-testing before officially released - which I see is exactly the case here.

tron · September 26, 2022, 6:10pm

So how did I end up with a “-proposed” version of ua ?
Do you have any theory/hipothesis ?

renan.rodrigo · September 26, 2022, 6:30pm

Hmmmm, not really.
It is not enabled by default in an Ubuntu installation…
As of https://wiki.ubuntu.com/Testing/EnableProposed, it got in your sources.list somehow.
An uncommented line found via sudo grep -r -n /etc/apt/ -e 'jammy-proposed' may be the culprit.

tron · September 26, 2022, 7:36pm

# grep proposed */*
apt.conf.d/50unattended-upgrades:// “${distro_id}:${distro_codename}-proposed”;

I’m positive I have never written “proposed”.
This is a 22.04 upgraded from a clean 20.04 install. I did recover from an upgrade situation with a “something … config -a” because the upgrade stalled.

Should I comment that line ?

Ok, I’m limited to only 3 replies (newbee here) but was saying:
Hmm, stupid me, that line is commented.
But I found another one from focal:

sources.list.save:deb http://archive.ubuntu.com/ubuntu/ focal-proposed main

that may be mutated into:

sources.list:deb http://archive.ubuntu.com/ubuntu/ jammy-proposed main

So I guess I should comment this one ? It might be an upgrade byproduct ? Big thanks anyway!