[HN Gopher] Ubuntu Security Updates Are a Confusing Mess
___________________________________________________________________
Ubuntu Security Updates Are a Confusing Mess
Author : popey
Score : 69 points
Date : 2024-07-11 20:59 UTC (2 hours ago)
(HTM) web link (gld.mcphail.uk)
(TXT) w3m dump (gld.mcphail.uk)
| bravetraveler wrote:
| I'd argue we wouldn't have Snap _[for the better]_ if their LTS
| releases weren 't _visually_ bound to years... saving overhead
| they regularly create for cosmetic reasons.
|
| Wouldn't have to create it to consolidate platforms if they
| stopped making them so often!
|
| They have three concurrent LTS releases when they need one.
| _Maybe_ two. 18.04 is the python2 of distributions. Let it go.
|
| Having worked in several places that relied on it... ESM is being
| the bad kind of enabler.
|
| Fedora handles _" The Snap Problem"_ -- many target distributions
| -- with 'fedpkg' and 'mock'. Software and machines _on the build
| side_. Not by degrading the end user experience. They do
| participate with Flatpak... but that 's peer pressure more than
| anything.
|
| Flatpak is more well-rounded IMO. Probably from being the broader
| answer. Maybe this all doesn't make an argument. Just a bunch of
| statements. I don't know.
|
| Back on topic: I wonder what all of this Canonical stuff in
| particular is for/leads to. New software isn't scary; 'just'
| plan/test. It becomes scary when you get lazy here... so accept
| your involvement.
| Suppafly wrote:
| Is it not possible to fix the one package from the debian sources
| vs waiting for ubuntu to allow him to get it from them?
| lmz wrote:
| It's possible to fix anything from the sources but I guess the
| Tomcat version in 22.04 didn't have a corresponding stable
| Debian version? (vs. the 20.04 version)
| juujian wrote:
| Ubuntu is merely reusing apt to connect to its own
| repositories. You could manually install packages from Debian's
| repositories, but it's probably inadvisable.
| jiripospisil wrote:
| I don't care they're gating this behind a subscription but the
| fact that they won't even tell you that you're missing an
| important security update? That's bad. I wonder how many people
| think they are fully up to date while being vulnerable to known
| bugs.
| ElectricSpoon wrote:
| They do tell you that you are missing now. On ubuntu 24.04, apt
| now reports/nags me about security updates behind esm-apps.
|
| They also publish an oval xml for use with openscap tools to
| get a list of unpatched CVEs. The issue is not enough people
| know about those tools. https://security-
| metadata.canonical.com/oval/
| jiripospisil wrote:
| Aha, thanks. I'm trying to look up the CVE on
| https://ubuntu.com/security/notices and the site's search
| responds with "504 Gateway Time-out" or "500: Server error".
| Come on Ubuntu.
| rightbyte wrote:
| > I don't care they're gating this behind a subscription
|
| I rather not have them push an ad to my face when I open the
| settings.
|
| I had to install Ubuntu on an embedded board last week and the
| "Ubuntu Pro" ad is like a greyed out tab in the settings widget
| if I remember correctly. Worse than the Amazon ad they had some
| decade ago.
| arjvik wrote:
| If I was looking for a distro with paid support (a la
| RHEL/Ubuntu) that's also not incredibly behind bleeding edge
| (maybe not as bleeding edge as Arch, but also not running
| patched-to-hell-and-back software like Ubuntu), what are my
| options?
|
| Thankfully I'm not personally looking for this at the moment, I'm
| more than happy being my own sysadmin and running anything from
| Arch to Fedora CoreOS to OpenSUSE on my machines.
| brylie wrote:
| I don't know if it meets all of your criteria but SUSE might be
| an option:
|
| https://www.suse.com/products/server/
| SSLy wrote:
| On desktop/laptop? Only Arch. On servers I'd say RHEL/Rocky
| (don't disable selinux!) or SuSE; and the deployed services in
| podman or incus.
| ZhongXina wrote:
| I wish people would stop recommending Rocky. It's a ticking
| time bomb IMHO caused by their decision to not play nicely
| with Red Hat and go for questionable tactics like renting
| temporary RHEL instances to download premade source packages,
| instead of working together as RH asked them to do. Anybody
| reading this, do yourself a favor and use Alma, or skip the
| RHEL ecosystem altogether if you don't absolutely need it.
|
| Otherwise you're building on an operating system which
| rebuilds a commercial upstream while explicitly refusing to
| follow that upstream's rules. IBM has lots of experienced
| lawyers, as I've heard.
|
| It's also slower at releasing updates, including security
| updates.
|
| ------
|
| Sorry SSLy, I can't reply to you directly because I'm rate
| limited, it's very late here, and I'm not waiting for the
| rate limit to expire. So here's my reply:
|
| I think previous decisions made by IBM have shown that
| they're fine at burning some community goodwill for short-
| term profit. People were called paranoid for worrying about
| the future of CentOS when it was taken up by Red Hat for
| "improved maintenance", and look where we are now.
|
| Maybe you're right, but I personally wouldn't want to build
| anything serious on top of that "maybe". If something
| happens, lateral migration should theoretically work, of
| course..
|
| https://almalinux.org/elevate
| SSLy wrote:
| IBM suing Rocky for what they're doing means industry wide
| crisis about what the FOSS provisions really mean. Their
| competition would welcome such self sabotage with arms wide
| open.
|
| Of course they could release the code just for the *GPL
| packages, but it's an option only slightly less bad
| socially.
|
| Now, I wonder why there's no one rebuilding Ubuntu Pro like
| folks are rebuilding RHEL.
| jiripospisil wrote:
| I've heard good things about AlmaLinux but I haven't used it
| personally.
|
| https://almalinux.org
| ZhongXina wrote:
| RHEL ecosystem is no less patched than Debian and its
| derivatives. Especially the kernel has only some resemblance
| to its stated version.
| ZhongXina wrote:
| afaik, your want of relatively fresh software with few patches
| excludes pretty much everything there is, except for really
| niche stuff. All other major options with good commercial
| support have been mentioned by siblings; I'll add Debian +
| Freexian to the list.
|
| https://www.freexian.com
| n3storm wrote:
| Ubuntu is reselling Debian, once they made it well, now I don't
| know
___________________________________________________________________
(page generated 2024-07-11 23:02 UTC)