After the announcement of Ubuntu Pro GA last week, we take the time to dispel
some myths around all things Ubuntu Pro, esm-apps and apt etc, plus Camila sits
down with Mark and David to discuss the backstory of Editorconfig CVE-2023-0341
and we also have a brief summary of the security updates from the past week.
But there has been a lot of users expressing a lot of emotion over the
appearance now of the new ‘advertisement’ for Ubuntu Pro / esm-apps when they
run apt update, e.g.:
The following security updates require Ubuntu Pro with 'esm-apps' enabled:
python2.7-minimal python2.7 libpython2.7-minimal libpython2.7-stdlib
Learn more about Ubuntu Pro at https://ubuntu.com/pro
There appears to be a few main issues:
Users don’t like what appears to be an advertisement in the apt output
Some updates now appear to be behind a “paywall”
Whilst they are free for personal use, to get access to them you need to
register an account on Ubuntu One etc and this requires providing various
high-level personal details (Name, Email etc)
So let’s take some time to look into these issues:
This is not the first time Canonical has tried to raise awareness of
various products - e.g. motd etc - so perhaps this causes more frustration
for users - however, if desired it can be disabled:
pro config set apt_news False
Ubuntu Pro is free for personal / small-scale commercial use - any user is
entitled to a free Ubuntu Pro subscription on up to 5 machines
this can be for bare metal or virtual machines and using either Ubuntu
Server or Desktop - the install / Ubuntu type doesn’t matter
and as we mentioned last week, if you are an Ubuntu member you get an
entitlement for 50 machines
currently this is not reflected in the https://ubuntu.com/pro/dashboard
(it still says 5 machines against the free personal token)
so there is nothing to pay here - likely most folks that find this
objectionable are personal users and so are entitled to the free
subscription
the other big part of this is that some folks seem to think these updates
are now only available via Ubuntu Pro when previously they were part of
the regular Ubuntu archive
this is incorrect - the esm-apps part of this message indicates that
these updates are for packages in the Universe component of the Ubuntu
archive - previously this has only ever been community supported - and
so the Ubuntu Security team would only ever provide security updates on
rare occasions OR if a member of the community came along and provided
an update in the form of a debdiff which could be sponsored by someone
from the Ubuntu Security team
but now the team is starting to do security updates for packages in
Universe and these are being made available via Ubuntu Pro
so if you do not enrol in Ubuntu Pro, your machine is still getting the
regular security updates for the Main+Restricted components as it
always was
but if you do choose to enrol in Ubuntu Pro you can get these extra
security updates that were never previously available
On the issue of having to provide some personal information to get access
to Ubuntu One, I realise this can be a bit contentious given that a lot of
Ubuntu and Linux users in general can be quite privacy conscious - however
this is not really any different than other online services like
Github/Gmail etc - and as said earlier, if you choose to not enrol in
Ubuntu Pro, you are just as secure as you always were - and to avoid having
to see the prompt in your apt update output, you can disable that as
mentioned earlier and so restore your system to the same state as it used
to be - as always, you are in control of your own machine
Hopefully this helps to dispel some of the myths and concerns surrounding
Ubuntu Pro and encourage folks to use it - the Ubuntu Security Team and others
at Canonical have put a lot of work into Ubuntu Pro behind the scenes and we
think this provides a lot of great security benefits and so encourage all
listeners to make use of it to ensure their systems are as secure as possible
The inside story of Editorconfig CVE-2023-0341 [09:05]