Ubuntu Linux LTS Releases Get Up To 12 Years of Support (betanews.com) 60
BrianFagioli shares a report from BetaNews: Canonical, the company behind the popular Ubuntu operating system, has announced a significant extension to the support lifecycle of its long-term support (LTS) releases. The new paid Legacy Support add-on for Ubuntu Pro subscribers will now provide security maintenance and support for an impressive 12 years, extending the previous 10-year commitment. This enhancement is available starting with Ubuntu 14.04 LTS and will benefit both enterprises and individual users who rely on the stability and security of Ubuntu for their critical systems. By default, Ubuntu LTS releases receive five years of standard security maintenance. However, with Ubuntu Pro, this is expanded to 10 years for both the main and universe repositories, offering access to a broader range of secure open-source software.
The Legacy Support add-on further extends this period by an additional two years, ensuring that organizations can maintain their systems with the latest security patches and support services without the immediate need to upgrade to a newer OS version. This is particularly beneficial for large, established production systems where transitioning to a new OS can be a complex and risky endeavor due to the potential need to update the entire software stack. The extended support includes continuous vulnerability management for critical, high, and medium Common Vulnerabilities and Exposures (CVEs) across all software packages shipped with Ubuntu. Canonical's security team actively backports crucial fixes to all supported Ubuntu LTS releases, providing peace of mind to users and enterprises. In addition to security maintenance, the Legacy Support add-on also offers phone and ticket support, enhancing Canonical's commitment to assisting customers with troubleshooting, break fixes, bug fixes, and guidance.
The Legacy Support add-on further extends this period by an additional two years, ensuring that organizations can maintain their systems with the latest security patches and support services without the immediate need to upgrade to a newer OS version. This is particularly beneficial for large, established production systems where transitioning to a new OS can be a complex and risky endeavor due to the potential need to update the entire software stack. The extended support includes continuous vulnerability management for critical, high, and medium Common Vulnerabilities and Exposures (CVEs) across all software packages shipped with Ubuntu. Canonical's security team actively backports crucial fixes to all supported Ubuntu LTS releases, providing peace of mind to users and enterprises. In addition to security maintenance, the Legacy Support add-on also offers phone and ticket support, enhancing Canonical's commitment to assisting customers with troubleshooting, break fixes, bug fixes, and guidance.
How much does the "support add-on" cost? (Score:5, Informative)
Oh it's free for personal use. And $25/year/machine for a business, with some breaks if you go with unlimited/VM subscription.
So far it's less tedious than Red Hat and SuSE's subscription process. A useful free tier (registration required) on top of the already free zero support tier, that doesn't require anything special out of cheapskates like me is especially appreciated.
Re:How much does the "support add-on" cost? (Score:5, Interesting)
I actually wonder what the point is of "free for personal use". Support means keeping a running system running. In 2024 a lot of users these days even of LTS releases will be chasing some software updates at some point which are not part of the standard supported PPAs. Once you start adding external package managers to the OS you defeat the purpose of the LTS release and invite package incompatibilities.
Even if you are of the opinion that every app should be a Docker container in only a few short years you'll rapidly find that Docker itself has changed. E.g. try and follow any current installation guide for a Docker container and apply it to a Ubuntu 20.04 LTS release and you'll run into problems since Docker changed the way containers are started and stopped quite a few years ago.
There's a cost to not upgrading, and personal users aren't the type to run mission critical systems supporting edge case hardware, nor tolerate out of date user facing applications. I think the target market for this may be limited.
Re: (Score:2)
I was thinking the same thing. This is really only 'useful' for stuff like machine controls, test equipment, and maybe in some cases enterprise servers.
For every other case you'll be left behind in terms of the platform requirements to run any contemporary package. Which in practical terms mean you won't be interacting with the rest of the world. Try browsing the web with a Chrome or Firefox more than couple years old for example... Ditto for any documents anyone sends you etc.
Heck a lot of larger projec
Re: How much does the "support add-on" cost? (Score:1)
The free version is for small IT shops, they get these features and at some point someone will want to stop juggling and pays for 25 licenses.
Re: (Score:2)
Back in mid 2018 we had a some people declaring they needed to run Ubuntu 18.04, and asking if the IT team would support them, because RHEL 7 was hopelessly out of date and they needed everything down to the kernel to keep up to date with the latest and greatest, and it was embarrassingly bad to be running distribution based on 4 year old cold. They were told sure, subject to self-administration with some auditing.
Now in 2024, they have been out of compliance for a year because they don't have the budget fo
Re: (Score:2)
We needed to stay on various ancient LTS versions because they were required to build older projects. This was getting to be a problem - in 2018 it was hard enough to find hardware that would run vanilla 14.04 without issues. The hardware had simply moved on too much. Imagine having to buy a beefy laptop only to have to hook up external mice and Ethernet because there was no support for the built in touchpad, wifi and other devices.
And yet, that was the reality - we needed 14.04 as that's what Android requi
Re: How much does the "support add-on" cost? (Score:1)
That is what Docker is for. I can run Ubuntu 16 stuff in a container. On the other hand, the Linux ABI is relatively stable, I rarely had an issue running stuff on newer versions especially once vendor support has already gone out the window.
Re: (Score:2)
80% of the time it works 100% of the time. But seriously, Docker, podman, K8s, etc are a great way to deal with running apps tied to a distro. You still have security concerns if you've fallen off the distro vendor's support schedule. While the security issues might only be isolated to that container, in practice a customer's useful information is exposed by your app running in an insecure environment. So hardly better than running an old unsupported distro on bare metal versus in a container.
Re: (Score:2)
Double edged sword. A decent practice, but it also triggers even worse dependency refresh discipline because "whew, it's in a container now, we don't have to worry about security anymore", which is wrong, yet a prevailing sentiment.
Re: (Score:1)
You can build safeguards around it now, there is always nGINX and other app firewalls. The app inherently doesn't have to be insecure, it's just all its dependencies are but you can handle eg. TLS in ultra-modern containers.
Re: (Score:2)
You can around *certain* things. Yes, you can force TLS termination to happen outside of the applications, mitigating the risk that OpenSSL vulnerabilities are your problem. However TLS vulnerabilities are not the only vulnerabities that may afflict a service. Also, depending on how things are, you might terminate TLS too early and open up gaps that a security person would frown upon where there's no protection. Don't know how actionable those gaps would actually be in typical scenarios, but it certainly r
Re: (Score:1)
Hence why you build an app firewall, if things go outside the parameters (if you're only expecting POST/GET) you don't need to handle potential exploits. Most of the time the issues is in a library and in most cases you can catch these issues or isolate them.
Re: (Score:2)
ESM (expanded security maintenced) should take 18.04 users through 2027 [ubuntu.com]. I think if it is important to your business, then you should be paying your Linux vendor (Canonical in this case). Hardware Enablement (HWE) kernels also let you bring software stacks onto new hardware, and in some cases you pick up security fixes and performance improvements that are in newer kernels. But limited support for newer kernel features without a new glibc version (but that's OK if you're intentionally running on an old rele
Re: (Score:2)
Even if they paid for the security updates, they are still fundamentally screwed because the third party applications they use no longer offer updates that support it either.
They started at a place of looking down on "old software" and are now the worst offenders for demanding stale old software (even though 99.999% chance the upgrade would do them just fine, just blind fear and uncertainty around their "image".
Re: (Score:2)
I think you missed my point - that non-business consumers won't need this. It doesn't sound like your scenario would fall under "free for personal use" and would still be subject to the cost of LTS support agreements.
Re: (Score:2)
I know, I was adding on that even the paying audience is ususally doing themselves a disservice by being too scared to update.
Re: (Score:2)
that doesn't require anything special out of cheapskates like me is especially appreciated.
Fuck no, now I'm never going to upgrade. I am this guy:
https://xkcd.com/1328/ [xkcd.com]
At least I was forced to upgrade before :(
Re: (Score:2)
I'm still running Lubuntu on my EeePC 701. I can't be bothered to upgrade my toys, because more than likely they'd just break.
If someone is paying me, then sure. I'll dive in and spend hours and hours with this Linux installation bullshit.
Re: (Score:2)
I'm still running Lubuntu on my EeePC 701.
How is that? They keyboard in my 900 kinda conked out, so I've not used it recently. It was getting a bit long in the tooth a number of years ago.
If someone is paying me, then sure.
No one pays me to not get pwn3d on the internet but I do not wish to be.
I'll dive in and spend hours and hours with this Linux installation bullshit.
Hours?
Re: (Score:2)
Hours?
My typical estimate is that one machine takes 0-5 hours. 0 if the machine has flawless support. More if I want something minor to work on it like audio playback.
And if someone is paying me, it's not one machine, it's dozens to hundreds.
Re: (Score:2)
I've not had an audio problem in years. Come to think of it, I don't think I've had a machine without flawless support in years (I go with laptops officially supported by their manufacturer), and desktops just work.
I always do a bit of research before dropping a bunch of cash on something.
But like I said, I keep my own machines patched for free because no one pays me to not get pwn3d.
will they back port drivers / kernel drivers? (Score:2)
will they back port drivers / kernel drivers?
Re: (Score:2)
well newer hardware with the older LTS software stack may be needed in some cases.
Re: (Score:2)
I'll say that vendor drivers in a Linux ecosystem are a mess:
-They have to be recompiled every update. There are systems to automate that, but it can mean longer boots after an update, and even then a lot of vendors don't even hook those facilities and demand you manually compile.
-Because they have to be recompiled, if you want SecureBoot for whatever reason, then you have a whole other can of worms with enrolling your certificate and properly protecting the key material, which if done adequately defeats t
Re: (Score:2)
How often do you deal with people having to custom compile a driver for their kernel? If you know the version of the OS doesn't support yoru machine, why pick that one (you would't install an old verison of windows expecting hardware support)?
Outside of maybe gpu drivers but that is most likely not a huge issue for enterprise users.
Re: (Score:2)
People *having* to, rarely. People *thinking* they have to, commonly.
Device vendor tells us we are unsupported unless we use the driver downloaded from their site, even though it's some boring mundane thing that's also upstreamed in the kernel.
Filesystem vendor (yes, some people still go for out-of-tree filesystems) mandates a custom kernel module.
People are afraid of breaking their applications if the kernel is changed (I have *never* seen an application broken, but people *constantly* assume it is a certa
Re: will they back port drivers / kernel drivers? (Score:1)
Almost all major vendors nowadays have entire package repo servers with every old and new package. nVIDIA, Intel, Dell, you can pretty much do an apt or yum install for all of them.
Re: (Score:2)
Note that 99% of the time, those akmods or similar still run afould of the "must recompile" problems. It may be more nicely packaged, but still is afflicted by the recompile limitations. Also, while akmods are abound for nVidia GPUs, if you search on nvidia's website, it just takes you to the '.run. file. Thus a lot of solutions treat this as the 'blessed' way and document accordingly. Some NIC vendors will tell you to download a tgz and figure it out.
Re: (Score:1)
nVIDIA specifically has dkms or even pre-compiled drivers these days for all major Linux distro's - eg: https://developer.download.nvi... [nvidia.com] If you have a NIC that doesn't live in the Linux tree, you're probably doing something wrong, but both Broadcom, Intel and nVIDIA (the major players) have 'newer' drivers properly packaged.
Re: (Score:2)
LTS is about keeping an old system going. If you have new hardware upgrade the version of Ubuntu that you are using. If the hardware is broken then eBay is your friend. If the old hardware no longer can cope with an increased workload then upgrade. However frankly suck that dam thing into a VM for crying out loud and your "hardware" issues go away.
Re: (Score:2)
will they back port drivers / kernel drivers?
For some degree. There is HWE stacks, which provide newer kernel/drivers for older LTS releases.
https://wiki.ubuntu.com/Kernel... [ubuntu.com]
Re: (Score:2)
Ubuntu does not do that, they instead release new kernels for old distributions, with the generally accurate assumption that the kernel is sufficiently good at backwards compatibility, even LTS sensitive folks can tolerate changes. Though at a glance it doesn't look like they promise HWE type updates into the "pro-only" phase, they switch to security updates only.
For those that are too scared of even that, there is the default kernel, which will be old and not able to support newer hardware, but if the user
What? (Score:5, Interesting)
I'm not large, but I run several thousand Linux and BSD machines in the healthcare world.
We don't pay a cent for operating systems or the software we run with the exception of:
* A few Windows licenses for VMs we can't avoid using
* Two VMs in the cloud ($40/mo) where one is a bastion host and the other is accessible over a private network from the first one. Both boxes only have SSH open.
It's pretty trivial to avoid using an ancient version of the OS too...every few years we test with new hardware and the latest version of the OS, then start rolling out upgrades.
Seriously...who in the fuck pays to stay on seriously outdated operating systems? Pacemaker manufacturers?
Re:What? (Score:5, Insightful)
One of the biggest fights to have Linux in the enterprise is having 24/7/365 commercial support. This may not be used, but it makes the bean counters happy. This is also why Red Hat was a single player in a lot of enterprises, after 2001, when "consultants" would rip out all Linux stuff wholesale, screaming, "This isn't SOX compliant".
Companies want support agreements. Mainly for a "throat to choke" if things are down, and they need a bug fixed ASAP, something that may not be possible otherwise.
Of course, a lot of environments don't care for this, but many companies, and almost all the big guys, this is a major barrier. Having 24/7/365 support is why Proxmox and XCP-NG have not been widely adopted in the enterprise.
Re: (Score:1)
You'll probably find that's for cyberinsurance. Cyberinsurance companies are bigger scumbags than even regular run-of-the-mill insurance companies and will conduct a full audit every time you try to make a claim. If they find a single system that hasn't got all of the patches for known CVEs they'll torpedo your entire policy, even if that system
Re: (Score:3, Insightful)
I'm still stunned that some businesses pay for Linux. I run several thousand Linux and BSD machines in the healthcare world. We don't pay a cent for operating systems
You are a problem. You are a leech. A parasite.
I understand individuals and small businesses not paying. You run "several thousand" machines? Linux brings an enormous value to your business. You should pay for it: buy, donate, whatever.
Re: (Score:3)
No. The license means what it says. The people who contribute that code have done so with no expectation of end users paying. There are no terms other than the explicit ones. They don't need you shaming people to do something they didn't request.
Re: (Score:2)
Is the healthcare world fine with running software with zero commercial support?
I thought they were one of those which require everything to have support so that at worst they can pass the buck, even if the commercial support is useless?
Hopefully better TPM support for LUKS... (Score:2)
I know that Ubuntu 23.10 has support for booting and unlocking the root filesystem via LUKS. I'm hoping this makes into the server and desktop versions of the next LTS release, and it offers the ability to choose one's root filesystem for this.
Having autoboot FDE is something critical for a lot of server applications, especially servers where it isn't permitted to use a Tang/Clevis server to unlock drives on boot. Yes, it does have its weaknesses, like TPM sniffing, but those are mostly handled by modern
Re: Hopefully better TPM support for LUKS... (Score:1)
Itâ(TM)s been there since Ubuntu 18 at the very least with some minor modifications for FDE+TPM. 22 had systemd-cryptenroll which does TPM or Tang enrollment of your boot-time LUKS2 container and Secure Boot has been there as well.
What has changed is that they now have the option as a checkbox during the installation.
Re: (Score:2)
That checkbox during installation is the big part. Just to make it easier to do at install time, rather than a lot of manual overhead.
Nooooo (Score:2, Funny)
This sucks for IT having to maintain a bunch of different OS versions. Used to be they could force people to upgrade. I'll bet some big corporate CIO who wanted to save pennies in the short term until his stocks vest or he's promoted to CEO is behind pressuring Ubuntu into this.
Re: (Score:2)
Re: (Score:3)
This sucks for IT having to maintain a bunch of different OS versions.
Seriously?
Look: I upgrade most of the stuff I manage to each new LTS release. But sometimes you have that famous situation: "Never touch a running system." I have one machine still running an older Ubuntu version. It has various services running, and getting those services running again after a major upgrade is...not easy. Why waste the time? They work, the old LTS version is still supported - It is far better to leave them untouched for as along as possible.
Re: (Score:2)
IT doesn't have to hold to the same commitments that the vendor does, they can discontinue support if it doesn't fit their needs.
In fact, there are likely things that make the platform unsupportable even if Ubuntu supports it. For example, recently I was able to concretely force a team to finally do a 'do-release-upgrade' because they run gitlab and gitlab stopped doing any updates for their chosen LTS version, and thus there was no proper way to apply updates for Gitlab's vulnerabilities of the week anymo
Ubuntu 14.04 LTS ? (Score:2)
Re: (Score:1)
from TFA:
Nope. (Score:3)
I ain't paying for Linux.
You can really, really, really stop trying.
Especially when all I'm paying for is someone to recompile a new package on an old machine that was working absolutely fine before they decided to "cut off" package updates.
This is one of the reasons why my preferred package manager is ".\configure; make; make install".
I installed Ubuntu on three machines last week - and none of them are commercial machines, none of them need a subscription or account, and all of them had the packages, MOTD, etc. associated with these services ripped out.
By all means offer a corporate support service. But if you want to do that, don't spam your free product with adverts for your paid-for product. RedHat/CentOS/Fedora all over again.
I would literally rather roll-my-own if this is the way other distros go too... because then maybe I can turn off most of this systemd shite too. Spent 20 minutes the other day working out why I couldn't just kill GPSd and move it to another port after having changed the configuration - and it's because systemd ingratiates itself even into simple services like that to auto-start them as you touch the port you intend to use or insert a device, and that uses entirely different configuration files. Did we learn NOTHING from Autoplay?
All Ubuntu pushing this stuff down my throat constantly does is put me off using Ubuntu entirely - including professionally.
It is ironic that I started many years ago with Slackware as a desktop, then moved to Slackware for servers (predictability and control), then changed to Ubuntu for desktop (simplicity), then changed to Ubuntu for servers (simplicity and control), and now would really move back to Slackware for servers (predictability and control) and other things entirely for desktop.
My entire reason for using Linux is thus:
- I want things to just do what I say, and work when I do that.
That's it. That's the one, sole reason for my preference in that regard. If I kill a process, I want it to die. If I change a config, I want it to take effect immediately without having to reboot. If I want to rename a device, I just want it to happen (I once spent a day trying to rename a joystick device to always present as the first js0 device under systemd, and at the time it simply wasn't possible, it always just did whatever it felt). If I want systemd or an alternative, I expect to just be able to choose. If I want to install my own local DNS server, that's what happens.
Don't even get me started on those software that demand I install them via snap/docker/etc. as their only way of doing so.
Play ball, Ubuntu, or lose your customer base. Not "signing up" to get an extra two years and spamming you incessantly if you don't.
Re: (Score:3)
Re: (Score:2)
I've heard of it, and they're reinventing Slackware.
Procrastinators of the World Rejoice! (Score:3)
Now you can put off by another two years the need to take a backup, type sudo do-release-upgrade and then have cup of tea while you wait! Yay!
OK, I can appreciate the "if it's not broken, don't fix it" sentiment, but updating to the latest OS release is like going to the doctor for that strangely painful lump; the longer you wait, the worse it's going to be when you finally have to see to it.
Snap (Score:2)