Yes, Ubuntu is withholding security patches for some software
flu0r1ne.netRelated ongoing thread:
Ubuntu Pro Shenanigans - https://news.ycombinator.com/item?id=38254040 - Nov 2023 (92 comments)
Debian is looking better and better.
It always has. You can only convince a billionaire to hate money for so long. Mark is going to rip the rug out on everyone soon enough.
Except it doesn't really have PPAs ... which limits outside contribution and is a huge downside
What is the advantage of PPAs over an apt repo that users place in /etc/apt/sources.list.d/someexternalapp? Is it having a central site that users can search for packages? Basically a social portal?
Having an automated per-user publishing pipeline for packages is a non trivial endeavour.
These days you can get close with github-actions style pieplines and releases, but the PPA system has always been a more complete platform in terms of dependency management.
You can get close with some debian tooling (im a fan of sbuild), but it's some overhead to deal with.
Agreed. I'd love to switch to Debian, but the lack of PPAs makes it difficult.
Also Debian is always much further behind than Ubuntu on new packages.
IIRC, you can still add those repos. The PPA system just makes it a little easier to add them.
it's one of those things that will probably work most of the time
PPAs are built against Ubuntu packages as dependencies - which usually but not always match Debian ones. Easy way to get subtly broken programs
Can you explain how better? A link to an example maybe
I'm so confused.
When I install an LTS version with a Universe package like ffmpeg, does everything continue getting security patches for the full five-year LTS life?
Or do I now need Ubuntu Pro to get the full five years?
Universe packages are not supported by Ubuntu unless you activate Ubuntu Pro. Thus, if you install ffmpeg on Ubuntu without Pro, it will contain several active vulnerabilities. The full five years only applies packages in the main repo.
I wanted to find another reason to not use Ubuntu for servers (besides Snap being forced on everyone) and this was it.
At least, in Debian, most of the packages I use on my server are from their main repos. Occasionally there are a few from other sources but by the time a new Debian patch is released, those other packages are also updated.
That's absolutely terrible and not clear at all.
I've been tempted to go back to Arch and I think this can be a good motivator.
That is also absolutely unchanged compared to "since forever". Canonical supports "main", while "universe" and "multiverse" offer best-effort community support (aka from debian). They now additionally offer a dedicated team for those repos.
Honest question, since the arch wiki seems surprisingly spotty on this: Which arch repos are covered by their security team? Just core? Or also extra? More than that? AUR surely not, right?
Not even "from debian". Sometimes they can't be bothered to copy debian packages that fix security issues if the package is in universe, and just leave it vulnerable for the entire duration of the LTS.
Happened to me.
Just to be clear, on Arch ffmpeg is outdated (6.0 vs 6.1.) This means it has three security vulnerabilities.
It's not the case for this example of ffmpeg (it's actually not patched), but make sure to check the actual changelog. Sometimes the version is kept, but the patches are backported, so a plain version comparison is not enough.
Debian's ffmpeg is at 6.1, no subscription nonsense required.
Universe is supported on a "best effort" basis.
Just stop using Ubuntu. It's bullshit with shit governance run by crazy people.
For servers, CentOS is reliable as fuck.
This is why I tell everyone to avoid the psychos at Canonical and use either CentOS 9 Stream, Fedora, or Debian.
I fear for the future of Red Hat products.
IBM isn't exactly the most trustworthy steward.
Didnt CentOS...go away or am I confusing it with another distro?
centos used to be 1:1 clone of rhel sans branding, ibm replaced it with rolling release 'centos stream' upstream of rhel
now we have 'rocky linux' taking the place of old downstream centos as 1:1 bug-for-bug rhel compatible (against ibm's wishes)
and 'almalinux' building a stable release on top of centos stream (ibm seems to be ok with)
Thanks for posting the details. I'll check out Rocky and Alma.