Canonical starts charging for Ubuntu LTS security updates

     

So Ubuntu has this model where they pretty much freeze package versions for an Ubuntu release after release, and then they only backport security updates from upstream. There’s nothing new here, most distros do it this way. The idea is that this way they can polish the gazillions of package versions and ensure they work well together, then never touch it again (too much).

Cool, but Ubuntu comes out with a release every 6 months, and it’s not very feasible to keep 10 different Ubuntu releases updated simultaneously, right? So then came the idea of Long Term Support! Let’s put out an LTS once every other year, only support these for 5 years, and “regular” releases are not really supported anymore, right?

Riiight, but then how will Canonical make money from it? Apparently now they came up with a solution:

Get more security updates through Ubuntu Pro with ‘esm-apps’ enabled
Learn more about Ubuntu Pro at https://ubuntu.com/pro

Well, that’s new, apt asking me to buy a subscription for security updates. On the very latest LTS release. Apparently Canonical learned a lesson or two from Red Hat, because this is the same exact stuff that happens on RHEL after installation – it starts nagging you to set up your subscription with subscription-manager.

But what the feck is ESM anyway? Never heard of it. So apparently this is what Expanded Security Maintenance is:

Security maintenance for the entire collection of software packages shipped with Ubuntu. ESM enables continuous vulnerability management for critical, high and medium CVEs.

You mean the same CVEs that Debian also takes care of, for free? You know, the patches that you usually just copy over into Ubuntu? So it seems that without a Pro subscription you’ll only get “best effort” updates to anything outside main. Well, if they made any efforts to keep me updated without a subscription, clearly, I wouldn’t buy a subscription, so I have a pretty good idea how much effort they’re gonna put into this. Or am I supposed to feel better to have only a few cherry-picked known CVEs on my system lurking around, because Canonical put the patches to those behind a paywall?

So what’s this Pro sub? Let’s check it out:

Geez, this is literally the Red Hat Developer Subscription all over again, except even RH is more generous with its 16 nodes instead of just 5. And I’d like to point out that I got this prompt in a WSL instance. Not a physical machine, not even a VM, just WSL.

How much would it set me back, should I run out of these 5 nodes? $25 / year for a single desktop machine. What if I want VMs? Well, you can’t buy just 1, because they figured no one needs just a couple Ubuntu VMs, so the only option is “unlimited” VMs on a single physical node, for a generous $500 / year. Suuuure. And what’s even gonna happen to Docker containers? Kubernetes? So many questions.

Charging for security updates on very old releases is fine. If you refuse to upgrade, pay the price. But:

  • 22.04 is an LTS release with 4 more years left of its support lifecycle.
  • There’s no newer version to upgrade to. It’s not my laziness, it’s your greediness.

So really, Ubuntu is setting a horrible precedent here. Charging money for security updates on the latest release, really? Red Hat Linux was turned into RHEL back in 2003, but even they had the courtesy to offer a free alternative, Fedora. Then came CentOS and rebuilt all the source code, and you got RHEL without the price of RHEL. Canonical, on the other hand says nope, pay up or else.

Yes, that “else” is exactly what’s going to happen if they really stand by this decision. After the Red Hat takeover, CentOS tried to pull the same crap with its CentOS Stream debacle, and what did they achieve with that? Bingo, everyone switched to Rocky, Alma, or Fedora. And in the case of Ubuntu, it’s not even necessarily the money it involves – it’s the maintenance burden, the deployment nightmare. It’s Windows activation and KMS in disguise – it’s a pain in the ass, there’s no other way to put it.

We love Linux deployments because they’re quick and simple to deploy, reset, and dispose of. Because I don’t have to worry about activation, licensing, expirations, and keep inventory of a truckload of keys and their corresponding instances and their numbers. This move eliminates all these advantages.

So Ubuntu, thanks for all the fish, you just made another step to become completely irrelevant. I can only guess how long before Ubuntu has its own CentOS moment.