70

Since January 2023, there have been some questions mentioning ESM Apps, that seem to have caused confusion among myself and others (one example here).

On running sudo apt update, users will get a notification similar to this, stating that several packages from the universe repository have security updates that require Ubuntu Pro:

The following security updates require Ubuntu Pro with 'esm-apps' enabled:
  imagemagick libopenexr25 libmagick++-6.q16-8 libmagickcore-6.q16-6-extra
  libmagickwand-6.q16-6 imagemagick-6.q16 libmagickcore-6.q16-6
  imagemagick-6-common

It seems there is a relation between ESM Apps, the universe repository, and an Ubuntu Pro subscription, but what exactly are ESM Apps and how are the above related?

Artur Meinild
  • 26,018

1 Answers1

51

Ubuntu Pro was made available on January 26, 2023, and from this day users would be notified that they can now get security packages for ESM Apps with an Ubuntu Pro account.

Canonical later on February 21, 2023, published an official FAQ about Ubuntu Pro.

In short, the previous Ubuntu Advantage subscription offered the following:

... continued security fixes for high and critical common vulnerabilities and exposures (CVEs) for the packages in the Ubuntu main and restricted archives for x86-64 architectures ...

However, with the new Ubuntu Pro subscription, this area of coverage has been expanded:

Pro

Main + Universe: 10 years

2,300 packages in the Ubuntu Main repo included in Infra-only, plus an additional 23,000+ packages in the Ubuntu Universe repository for 10 years

As an interesting side note, there was a bug, where all users would get this notification, even if they're on an unsupported architecture (like arm64 etc.).

So ESM Apps is the designation used by Canonical for the packages in the universe repository that gets 10 years of security updates with an Ubuntu Pro subscription.

Ubuntu Pro access is a paid service for companies, but individual users can get a free token for up to 5 machines (including either physical or virtual machines) by logging in to the Ubuntu Pro Dashboard.

To remove the additional nag screens from the apt update dialogue, please see this Q&A.

Clarification from Thomas Ward concerning security updates for Universe packages:

Some applications are only 'updated' in the ESM repositories, but if you don't want to enroll in free ESM you can still update your system as normal with -updates and -security but you won't get 'newer' updates for things. ... You can ignore the ESM message if you don't want ESM - it's informational only - items in esm-apps are "newer" than what's in the main repositories but that's due to there not being community-volunteered updates for the -updates or -security pockets.

Further investigation of ESM Apps and their security upgrades:

One example of a package that has ESM security upgrades is imagemagick. (Thanks Philippe Gaucher)

An installation of imagemagick on a machine without an Ubuntu Pro token gives this result:

$ apt policy imagemagick
imagemagick:
  Installed: 8:6.9.11.60+dfsg-1.3build2
  Candidate: 8:6.9.11.60+dfsg-1.3build2
  Version table:
 *** 8:6.9.11.60+dfsg-1.3build2 500
        500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
        100 /var/lib/dpkg/status

While an installation of imagemagick on a machine with an Ubuntu Pro token gives this result:

$ apt policy imagemagick
imagemagick:
  Installed: 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1
  Candidate: 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1
  Version table:
 *** 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1 500
        500 https://esm.ubuntu.com/apps/ubuntu jammy-apps-security/main amd64 Packages
        100 /var/lib/dpkg/status
     8:6.9.11.60+dfsg-1.3build2 500
        500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
Conclusion

The Ubuntu Pro ESM Apps should be seen as an additional support channel for those who wish to opt in with it. Here, the Ubuntu developers roll out in-house universe security patches (additional backports of new patches against historical versions of the packages), which was previously not available. If you don't opt in to this, you get exactly the same upstream support for universe packages as before Ubuntu Pro (under the Ubuntu Advantage subscription).

In addition, ESM Apps are only available for the x86_64 architecture, so no matter what, these upgrades are not available for other platforms, such as arm64.

Artur Meinild
  • 26,018
  • So as of January 26, 2023 all of the Ubuntu 20.04 security updates are no longer available without a Ubuntu Pro subscription? – Firefishy Jan 30 '23 at 16:07
  • @artur-meinild , just looking for more clairification. I am running 22.04. Suppose I choose NOT to go with Ubuntu Pro. So for 5 yrs I will get updates for esm packages, but after year five will not? And for the next 5 yrs I will get messages that I should have Ubuntu Pro to get updates to esm packages? Can I safely ignore those messages? I ask as the message says I will NOT get updates for any esm packages without an Ubuntu Pro account - the message says that the Ubuntu Pro acct is "required" for updates: "The following security updates require Ubuntu Pro with 'esm-apps' enabled" – dln949 Jan 30 '23 at 17:02
  • 6
    So, I have information from the Security team after poking on this. Some applications are only 'updated' in the ESM repositories, but if you don't want to enroll in free ESM you can still update your system as normal with -updates and -security but you won't get 'newer' updates for things. Especially where Universe comes into play. You can ignore the ESM message if you don't want ESM - it's informational only - items in esm-apps are "newer" than what's in the main repositories but that's due to there not being community-volunteered updates for the -updates or -security pockets. – Thomas Ward Jan 30 '23 at 19:10
  • @ThomasWard so does that mean that now you get security updates for apps, where there was never any security updates previously? Just to be sure.. – Artur Meinild Jan 30 '23 at 19:42
  • 4
    @ArturMeinild no, not necessarily. Some things might get updates but the vast majority probably won't, and it's not a guarantee of Security patching (same general concept to standard security patching applies, but with a stricter scale of what's actually updated, etc. but no real variation from standard policy for updates is my understanding). ESM however is not needed if you just want the standard free non-Canonical-commercial-offering stuff. Those warnings are 'red herrings' indicating updates are in esm-apps but they're non-critical and not necessarily all security. – Thomas Ward Jan 30 '23 at 19:52
  • @ThomasWard I am a bit puzzled. So the package texlive-full is a "Canonical-commercial-offering stuff" ? – Philippe Gaucher Jan 31 '23 at 09:05
  • Do I need snapd installed for the pro app to work? I manage more than 5 PCs for a computer lab and they don't want to pay the $25/y per PC (have more than 20 PCs). I UnSnap all the machines, due to performance. – PenguinCSC Feb 01 '23 at 16:37
  • 2
    @PenguinCSC no, snapd is not needed for Ubuntu Pro at this time. However, it's required if you want to use kernel live patching. That particular app is a snap. – Artur Meinild Feb 01 '23 at 16:58
  • 1
    Theoretically, we should be able to compare the changelog file for both versions to show the differences. For example, to show the changelog for imagemagick-6-common you can run zcat /usr/share/doc/imagemagick-6-common/changelog.Debian.gz to print the file. Of course, download the deb for both, extract them, and then run zcat ./usr/share/doc/imagemagick-6-common/changelog.Debian.gz for each of them. – mchid Feb 02 '23 at 13:32
  • 4
    Don't understand what is going on here. Are the "esm" updates not also to be made available upstream under the terms of open source licences? Over time will the new approach effectively convert a lot of the open source community developed applications into the effective property of Canonical? – Joe Mar 06 '23 at 09:15
  • 1
    Canonical is doing additional backports of new patches against historical versions of the packages. Latest version of each software already has these patches but Canonical doesn't offer the latest and greatest version from their package repositories. Instead, they offer the version that was included in the original release + backported security patches against those old versions. – Mikko Rantalainen Aug 07 '23 at 07:05
  • 2
    @MikkoRantalainen I took the liberty of adding part of your comment as explanation in my conclusion. – Artur Meinild Aug 07 '23 at 07:08
  • @ArturMeinild You're absolutely right, deleting my comment now – PavoDive Dec 30 '23 at 04:29