Score:60

What are ESM Apps, and how do they relate to Ubuntu Pro?

vn flag

Since January 2023, there have been some questions mentioning ESM Apps, that seem to have caused confusion among myself and others (one example here).

On running sudo apt update, users will get a notification similar to this, stating that several packages from the universe repository have security updates that require Ubuntu Pro:

The following security updates require Ubuntu Pro with 'esm-apps' enabled:
  imagemagick libopenexr25 libmagick++-6.q16-8 libmagickcore-6.q16-6-extra
  libmagickwand-6.q16-6 imagemagick-6.q16 libmagickcore-6.q16-6
  imagemagick-6-common

It seems there is a relation between ESM Apps, the universe repository, and an Ubuntu Pro subscription, but what exactly are ESM Apps and how are the above related?

gatomon avatar
us flag
To remove nag: `sudo mkdir /etc/apt/apt.conf.d/off;` and then `sudo mv /etc/apt/apt.conf.d/20apt-esm-hook.conf /etc/apt/apt.conf.d/off;`
Artur Meinild avatar
vn flag
@gatomon thanks - I've added this to [my other Q&A](https://askubuntu.com/questions/1452519/what-are-the-services-apt-news-and-esm-cache-and-how-do-i-disable-them/) about these services..
Jonte YH avatar
in flag
Is this message serious or can ignore it?
Artur Meinild avatar
vn flag
You can ignore - this was never an option before, so you don't loose much.
Score:43
vn flag

Ubuntu Pro was made available on January 26, 2023, and from this day users would be notified that they can now get security packages for ESM Apps with an Ubuntu Pro account.

Canonical later on February 21, 2023, published an official FAQ about Ubuntu Pro.

In short, the previous Ubuntu Advantage subscription offered the following:

... continued security fixes for high and critical common vulnerabilities and exposures (CVEs) for the packages in the Ubuntu main and restricted archives for x86-64 architectures ...

However, with the new Ubuntu Pro subscription, this area of coverage has been expanded:

Pro

Main + Universe: 10 years

2,300 packages in the Ubuntu Main repo included in Infra-only, plus an additional 23,000+ packages in the Ubuntu Universe repository for 10 years

As an interesting side note, there was a bug, where all users would get this notification, even if they're on an unsupported architecture (like arm64 etc.).

So ESM Apps is the designation used by Canonical for the packages in the universe repository that gets 10 years of security updates with an Ubuntu Pro subscription.

Ubuntu Pro access is a paid service for companies, but individual users can get a free token for up to 5 machines (including either physical or virtual machines) by logging in to the Ubuntu Pro Dashboard.

To remove the additional nag screens from the apt update dialogue, please see this Q&A.

Clarification from Thomas Ward concerning security updates for Universe packages:

Some applications are only 'updated' in the ESM repositories, but if you don't want to enroll in free ESM you can still update your system as normal with -updates and -security but you won't get 'newer' updates for things. ... You can ignore the ESM message if you don't want ESM - it's informational only - items in esm-apps are "newer" than what's in the main repositories but that's due to there not being community-volunteered updates for the -updates or -security pockets.

Further investigation of ESM Apps and their security upgrades:

One example of a package that has ESM security upgrades is imagemagick. (Thanks Philippe Gaucher)

An installation of imagemagick on a machine without an Ubuntu Pro token gives this result:

$ apt policy imagemagick
imagemagick:
  Installed: 8:6.9.11.60+dfsg-1.3build2
  Candidate: 8:6.9.11.60+dfsg-1.3build2
  Version table:
 *** 8:6.9.11.60+dfsg-1.3build2 500
        500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
        100 /var/lib/dpkg/status

While an installation of imagemagick on a machine with an Ubuntu Pro token gives this result:

$ apt policy imagemagick
imagemagick:
  Installed: 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1
  Candidate: 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1
  Version table:
 *** 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1 500
        500 https://esm.ubuntu.com/apps/ubuntu jammy-apps-security/main amd64 Packages
        100 /var/lib/dpkg/status
     8:6.9.11.60+dfsg-1.3build2 500
        500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
Conclusion

The Ubuntu Pro ESM Apps should be seen as an additional support channel for those who wish to opt in with it. Here, the Ubuntu developers roll out in-house universe security patches (additional backports of new patches against historical versions of the packages), which was previously not available. If you don't opt in to this, you get exactly the same upstream support for universe packages as before Ubuntu Pro (under the Ubuntu Advantage subscription).

In addition, ESM Apps are only available for the x86_64 architecture, so no matter what, these upgrades are not available for other platforms, such as arm64.

Firefishy avatar
in flag
So as of January 26, 2023 all of the Ubuntu 20.04 security updates are no longer available without a Ubuntu Pro subscription?
dln949 avatar
ng flag
@artur-meinild , just looking for more clairification. I am running 22.04. Suppose I choose NOT to go with Ubuntu Pro. So for 5 yrs I will get updates for esm packages, but after year five will not? And for the next 5 yrs I will get messages that I should have Ubuntu Pro to get updates to esm packages? Can I safely ignore those messages? I ask as the message says I will NOT get updates for any esm packages without an Ubuntu Pro account - the message says that the Ubuntu Pro acct is "required" for updates: "The following security updates require Ubuntu Pro with 'esm-apps' enabled"
ru flag
So, I have information from the Security team after poking on this. *Some applications* are only 'updated' in the ESM repositories, but if you don't want to enroll in free ESM you can still update your system as normal with -updates and -security but you won't get 'newer' updates for things. Especially where Universe comes into play. You can *ignore* the ESM message if you don't want ESM - it's informational only - items in `esm-apps` are "newer" than what's in the main repositories but that's due to there not being community-volunteered updates for the -updates or -security pockets.
Artur Meinild avatar
vn flag
@ThomasWard so does that mean that now you get security updates for apps, where there was never any security updates previously? Just to be sure..
ru flag
@ArturMeinild no, not necessarily. Some things might get updates but the vast majority probably won't, and it's not a guarantee of Security patching (same general concept to standard security patching applies, but with a stricter scale of what's actually updated, etc. but no real variation from standard policy for updates is my understanding). ESM however is **not needed** if you just want the standard free non-Canonical-commercial-offering stuff. Those warnings are 'red herrings' indicating updates *are* in esm-apps but they're non-critical and not necessarily all security.
Philippe Gaucher avatar
id flag
@ThomasWard I am a bit puzzled. So the package `texlive-full` is a "Canonical-commercial-offering stuff" ?
cn flag
Do I need `snapd` installed for the pro app to work? I manage more than 5 PCs for a computer lab and they don't want to pay the $25/y per PC (have more than 20 PCs). I UnSnap all the machines, due to performance.
Artur Meinild avatar
vn flag
@PenguinCSC no, `snapd` is not needed for Ubuntu Pro at this time. However, it's required if you want to use kernel live patching. That particular app is a `snap`.
mchid avatar
bo flag
Theoretically, we should be able to compare the changelog file for both versions to show the differences. For example, to show the changelog for `imagemagick-6-common` you can run `zcat /usr/share/doc/imagemagick-6-common/changelog.Debian.gz` to print the file. Of course, download the deb for both, extract them, and then run `zcat ./usr/share/doc/imagemagick-6-common/changelog.Debian.gz` for each of them.
Joe avatar
cn flag
Joe
Don't understand what is going on here. Are the "esm" updates not also to be made available upstream under the terms of open source licences? Over time will the new approach effectively convert a lot of the open source community developed applications into the effective property of Canonical?
cn flag
Canonical is doing additional backports of new patches against historical versions of the packages. Latest version of each software already has these patches but Canonical doesn't offer the latest and greatest version from their package repositories. Instead, they offer the version that was included in the original release + backported security patches against those old versions.
Artur Meinild avatar
vn flag
@MikkoRantalainen I took the liberty of adding part of your comment as explanation in my conclusion.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.