"Ubuntu LTS: Many vulnerabilities despite long-term support"

18 risposte [Ultimo contenuto]
root_vegetable
Offline
Iscritto: 10/26/2015

I found this on Reddit: https://www.wilderssecurity.com/threads/ubuntu-lts-many-vulnerabilities-despite-long-term-support.385386/
The article that the forum references is on Heise.de, and is in German (I should emphasise that I cannot read German, sorry): http://m.heise.de/ct/artikel/Ubuntu-LTS-Langzeitpflege-gibt-es-nur-fuer-das-Wichtigste-3179960.html

The forum claims that only the 'main' repository gets long term support. Apparently the rest of the packages, in 'universe', are imported from Debian Unstable and then basically left to rot. They are only refreshed on the next Ubuntu release.
I am not sure how much I should be concerned about this. I understand that 'main' includes essential things like GnuPG, the GNU C library and X.org, but considering 'main' is a mere 7000 or so packages, as opposed to the some 40000 packages in Debian, this seems like it could be a severe oversight on the part of Canonical. They give an example of VLC media player: if an exploit was found in this widely-used piece of software, that could be bad for the LTS users.

Thoughts? Personally, I have advocated for some time switching to Debian, so naturally would suggest Trisquel does that, especially since gNewSense is rather dormant, shall we say.

t3g
t3g
Offline
Iscritto: 05/15/2011

I thought everyone new this. Since the beginning, the "main" repositories in Ubuntu get the greatest support while the "universe" is less important and relies on community support.

JadedCtrl
Offline
Iscritto: 08/11/2014

In an LTS release, you don't get the latest packages. Naturally, this means you don't get the latest security fixes. In Ubuntu's case, the exception is the main repository.
... this is news, somehow?

root_vegetable
Offline
Iscritto: 10/26/2015

Yes, it is news. "Long term support" implies support for all the packages in Ubuntu for 5 years. Canonical does not say on their website "over 7000 packages supported for 5 years, but please note that many of the packages you might actually want to use do not receive support". I thought it was like Debian stable and each one had a maintainer. How are normal people supposed to know this?

SalmanMohammadi
Offline
Iscritto: 02/23/2012

> How are normal people supposed to know this?

https://wiki.ubuntu.com/SecurityTeam/FAQ :

What software is officially supported by the Ubuntu Security team?

Ubuntu is currently divided into four components: main, restricted, universe and multiverse. All binary packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while binary packages in universe and multiverse are supported by the Ubuntu community.

onpon4
Offline
Iscritto: 05/30/2012

As a couple others have said, this is the whole reason for some packages being in a separate repository. Anything in "universe" is officially unsupported, which means not only is it not subject to the LTS support, it isn't even subject to the shorter support of any other Ubuntu releases. If it's a concern for you, Trisquel maintains these sections, so you can exclude the "universe" section from your sources.list if you want. But software in "universe" is usually not software that is likely to be a vector for an attack.

SalmanMohammadi
Offline
Iscritto: 02/23/2012

> If it's a concern for you, Trisquel maintains these sections, so you can exclude the "universe" section from your sources.list if you want.

No. There is not such a thing on Trisquel 7. Everything is in one component, `main`. https://paste.debian.net/441920

onpon4
Offline
Iscritto: 05/30/2012

Oh, OK. Sorry, I thought they were still separate.

oysterboy

I am a member!

I am a translator!

Offline
Iscritto: 02/01/2011

But when you look at the list of packages in Synaptic, you do see that some come from main and some from universe. So where does that division come from if sources.list only mentions main?

onpon4
Offline
Iscritto: 05/30/2012

No clue. But I've verified in a Trisquel Mini installation I have on a virtual machine; there are no lines including a "universe" section in /etc/apt/sources.list. Maybe this information is just stored somewhere?

jxself
Online
Iscritto: 09/13/2010

My understanding is that the Trisquel Helpers are responsible for pulling packages from the appropriate area of Ubuntu and that once integrated into Trisquel they are just in the one repository.

SalmanMohammadi
Offline
Iscritto: 02/23/2012

Package helpers are solely used for modifying existing free-software packages. `ubuntu-purge` (https://devel.trisquel.info/trisquel/ubuntu-purge) is used for mirroring the upstream Ubuntu repository (only `main` and `universe` components) and also excluding software which are from these components but we do not want them (like chromium, or vrms, etc).

I suppose this file does the job, https://devel.trisquel.info/trisquel/ubuntu-purge/blob/master/conf/updates#L97

jxself
Online
Iscritto: 09/13/2010

"Package helpers are solely used for modifying existing free-software packages."

And can also be used pull in software but I digress: It shows Trisquel plops them all into one place. :)

SalmanMohammadi
Offline
Iscritto: 02/23/2012

You are right. Unfortunately I cannot edit my previous post to correct it ;)

onpon4
Offline
Iscritto: 05/30/2012

I'm confused. It was me who was wrong, wasn't it? Why are you talking about correcting your post?

SalmanMohammadi
Offline
Iscritto: 02/23/2012

I meant what I said about sole application of package-helpers were wrong ;)

root_vegetable
Offline
Iscritto: 10/26/2015

My point is that Canonical don't make this clear. Some person who decides to try Ubuntu is not going to look at the security team FAQ page. They would assume that there would be the main repository, supported for the 5 years as advertised. So Canonical should have some sort if disclaimer when people download it.

loldier
Offline
Iscritto: 02/17/2016

They should only enable main by default after every clean install.

It's pretty well explained here.

http://www.howtogeek.com/194247/whats-the-difference-between-main-restricted-universe-and-multiverse-on-ubuntu/

And here.

https://help.ubuntu.com/community/Repositories/Ubuntu

The Ubuntu software repositories are organized into four separate areas or "components", according to the level of support offered by Ubuntu and whether or not the program in question complies with Ubuntu's Free Software Philosophy.

Universe - Community maintained software, i.e. not officially supported software.

cooloutac
Offline
Iscritto: 06/27/2015

very good point. many people don't realize the same thing about openbsd.