Should you get an Ubuntu Pro free personal subscription?

Earlier this year, Canonical decided to advertise the arrival of Ubuntu Pro by hooking up the following message in the terminal as users were issuing apt update: “The following security updates require Ubuntu Pro with ‘esm-apps’ enabled: (list of vulnerable installed packages)”. Predictable for anyone but Canonical, confusion ensued.

TLDR; Ubuntu Pro

The gist of Ubuntu Pro is that Ubuntu LTS releases get 10 years of security fixes from the Ubuntu security team. As an example, Ubuntu 16.04 (Xenial Xerus) entered its extended security maintenance (esm) stage in April 2021 and will be supported until April 2026.

Ubuntu 16.04 ESM fully patched with Ubuntu Pro in 2023

The Ubuntu security team will provide security fixes for packages in both the main and universe repository for ten years. The universe repository contains software made available by the community and consists of more than 23 000 packages. Providing security fixes for those packages is a new additional feature of Ubuntu Pro.

Is Ubuntu Pro required for security updates?

The answer to that is no and yes. An Ubuntu LTS release within its regular support period will get all the security fixes for the main repository from the Ubuntu security team. The universe repository, however, will not get any security fixes from the Ubuntu security team, and patching will remain a community responsibility.

If you sign up for Ubuntu Pro, you’ll immediately receive additional security fixes for the universe repository from Canonical where available.

Canonical on the universe repository

I was under the impression that the universe repository was receiving security updates from the community, but apparently, that is not necessarily the case if Canonical is to be believed. The following comment was posted in the Ubuntu Discourse channel by a Canonical employee who indirectly commented on the community’s ability to provide security fixes:

Ubuntu 22.04 - Post installation

The statement from the charming Canonical employee (ogra) was left unchallenged and paints a somewhat concerning picture for users relying on software from the universe repository.

Universe repository considerations

When enabling the universe repository on an Ubuntu LTS release, you might install software that will not receive any security updates until you upgrade to the next Ubuntu release. Considering the worst-case scenario, this could mean five years without getting important security fixes. For regular Ubuntu interim releases, the window of vulnerability would be reduced to six months.

The pros of Ubuntu Pro

  • Canonical will provide security fixes for the universe repository
  • Ubuntu Pro is free for personal use (up to 5 machines)
  • Kernel livepatching

The cons of Ubuntu Pro

  • Requires an Ubuntu One account
  • The free tier beta tests new patches
  • Additional telemetry is sent to Canonical

Conclusion

Canonical might have dropped the ball on the marketing side with Ubuntu Pro, and they probably didn’t do themselves any favors by adding confusing lingoes like esm-apps and esm-infra to the mix. Additionally, nobody enjoys having advertisements of products and services plastered over their terminal. However, all that aside, I believe Ubuntu Pro is a solid offering and I have added the free subscription to my personal Ubuntu LTS servers.

Ubuntu Pro onboarding on a fresh install of Ubuntu 22.04 LTS

Apparently, Canonical really wants you to become an Ubuntu Pro subscriber.

When it comes to Ubuntu on the desktop though, I’m not interested in Ubuntu Pro. I believe that running the latest interim release is the best strategy. In my experience, Ubuntu LTS versions do not offer any benefits in stability or security and are often troublesome with a lack of modern hardware support due to running older kernels.

Another thing to consider is that the Ubuntu security team is undertaking quite the challenge with backporting security fixes for packages in the universe repository to all these LTS releases. Backporting security fixes is not always possible or an exact science, so it’ll be a best-case effort. It also seems likely that their main focus will be on the most used packages in enterprise environments.