What does LTS really mean? The 5 years question.

Chat about Linux in general
Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: What does LTS really mean? The 5 years question.

Post by Cosmo. » Sun Apr 24, 2016 12:11 pm

Pjotr wrote:So the questions are:

a. Which packages should we worry about most, i.e. which ones can be classified as high risk?
At first I want to change the question to "Which packages should we worry about"?

All packages out of the universe and multiverse repositories. All packages, which do not actually get the 5 years LTS support.

As I described in my starting post, there is in Ubuntu the tool ubuntu-support-status. A quick test showed me, that you can install it in Mint (I used LM 17 Qiana Cinnamon 64 bit, but this should not matter), but it does not work. Probably this is because of this bug. In Ubuntu 16.04 it works for me. It would be relevant to know, which packages are pre-installed in Mint from those Ubuntu-repositories. This would give the need, to take a fresh installation of Mint and a fresh installation of Ubuntu, find out those packages, install them in Ubuntu and then run the tool to find the number and the names of all packages without support, with 9 months support and with 3 years support. Then you get an idea about the impact of the problem in any Mint main edition installation.

The core of the problem is in my eyes, that Ubuntu says for the LTS: "supported for 5 years". Dot. That this is only the half truth is somewhere in the small print. I bet, that 90%+ of all users of Ubuntu and Ubuntu-based systems don't know, that this doesn't mean, that any leakage, which gets known in those 5 years, will be closed. But there is the fact, that they get known. The trouble with open source is, that this openness gets a boomerang, if the leaks stay unclosed. In the article (link in my first post) the author says, that gaps in many installed packages would almost certainly be a frequent attack vector, if Ubuntu Desktops had a similar distribution like Android. Security sounds different than relying on an OS with rather view installations.

If this post by xenopeek (upgrade as soon as possible), published on the day, when the support for LM 16 ended, has a meaning, than it is worth to think about the fact, that parts of the LTS-system have no support for more than 4 years.

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: What does LTS really mean? The 5 years question.

Post by killer de bug » Sun Apr 24, 2016 12:44 pm

Hoser Rob wrote:It may be an LTS release but they didn't use an LTS kernel release. This means that Canonical has to do all that backporting that the kernel maintainers would do with an LTS kernel.
They do a good job with their kernels. So good that Debian is even using their kernel. :wink:
Hoser Rob wrote:This is actually why I switched to Mint.
LM uses the same kernel...
If it ain't broke, fix it until it is.

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: What does LTS really mean? The 5 years question.

Post by killer de bug » Sun Apr 24, 2016 12:47 pm

Cosmo. wrote:All packages, which do not actually get the 5 years LTS support.
This is anyway not realistic. The team is way too small to support all packages.
If it ain't broke, fix it until it is.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4207
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: What does LTS really mean? The 5 years question.

Post by Fred Barclay » Sun Apr 24, 2016 12:49 pm

killer de bug wrote: They do a good job with their kernels. So good that Debian is even using their kernel. :wink:
Wait... what?? :shock:
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
xenopeek
Level 24
Level 24
Posts: 24133
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: What does LTS really mean? The 5 years question.

Post by xenopeek » Sun Apr 24, 2016 2:08 pm

Fred Barclay wrote:Wait... what?? :shock:
I'm a bit lost as well :) Then what does the Debian kernel team do all day...
Image

The Dark Side
Level 4
Level 4
Posts: 321
Joined: Mon Apr 02, 2012 2:58 pm
Location: En el Lado Oscuro !!
Contact:

Re: What does LTS really mean? The 5 years question.

Post by The Dark Side » Sun Apr 24, 2016 2:10 pm

Does not seem right than just Ubuntu enjoyment of the 5 years of support. At 16.04 they have stopped along the way, all derived from the family. In two cases where, in my view very wrong. Ubuntu Mate and Xubuntu for it's quality, would perfectly deserved 5 years full also support !!

Really even though it is not a magnificent how other edition, it hurts me that Kubuntu has lost it's "status" of 5 years of support. It is that the base is completely community and that still lacks Plasma 5, but could have considered keeping the 5 years. A shame really. Best Regards.-
MX Linux 18.3 (KDE & XFCE)
PCLinuxOS KDE
PCLinuxOS MATE
Devuan Ascii 2

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: What does LTS really mean? The 5 years question.

Post by killer de bug » Sun Apr 24, 2016 2:13 pm

Well I may have taken a shortcut somewhere, but I'm basically right.

https://lists.debian.org/debian-kernel/ ... 00543.html
The Ubuntu kernel team is pleased to announce that we will be
providing extended stable support for the Linux 3.16 kernel until
April 2016 [...]
In addition to the Ubuntu 14.10 "Utopic Unicorn" release, the Debian 8
"Jessie" release will also be based on this kernel [2]. Since the
regular support for "Jessie" will go beyond April 2016, after this
date Ben Hutchings (or myself) will continue the Linux 3.16 kernel
maintenance.
So no worries. The Debian Kernel team has a lot of work to do and they do it. Nevertheless, for Debian Jessie, they have used a kernel where the support was offered by the Ubuntu team. :wink:
If it ain't broke, fix it until it is.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: What does LTS really mean? The 5 years question.

Post by Cosmo. » Sun Apr 24, 2016 2:14 pm

killer de bug wrote:
Cosmo. wrote:All packages, which do not actually get the 5 years LTS support.
This is anyway not realistic. The team is way to small to support all packages.
That may be probably an explanation, but no excuse. Not for the fact, that the leaks do not get fixed and especially no excuse, that the users do not get informed in the "big print"; even with a understaffed crew a proper information is possible.

Mr.October
Level 4
Level 4
Posts: 211
Joined: Sat Oct 24, 2015 1:27 am

Re: What does LTS really mean? The 5 years question.

Post by Mr.October » Sun Apr 24, 2016 2:15 pm

I was just thinking about the 5 and 3 years and the 9 months support of the new (*)Ubuntu, and later on Mint. Okay, I admit, 9 months is way too short, that has to be improved to at least 3 years as well.
But even 3 years, guys? Isn't that more than enough? It's the week of the release of the Buntu's, maybe a week after and here on the forum people are shouting: when will Mint 18 be here?
This same thing will happen in 2 years again when the next LTS versions are coming. Am I right?
There will be a few who will stick to their LTS version for as long as it is supported, but the majority, the great majority, jumps into the new LTS version on the day it arrives. So, 2 years and a few months makes 3 years, should be more than enough.
It would also be better for a relatively small team as Mint. With 5 years they have to support 3 LTS versions:
the one which comes out now, the one which came 2 years ago and the one from 4 years ago since that one still has one year to go.
Make support for everything 3 years and supply us a new version every 2 years. To me it sounds more logical, especially when the crowd can't wait to install the new version as soon as it is available.
Let's see what comments I get on this one. :lol:

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: What does LTS really mean? The 5 years question.

Post by killer de bug » Sun Apr 24, 2016 2:22 pm

You need to think about enterprises that need 5 years of support.
And you need to think that Maya is supported mainly by Canonical, not by Mint anymore (Cinnamon/Nemo...). This will be the same in a few weeks for LM17.x
If it ain't broke, fix it until it is.

User avatar
xenopeek
Level 24
Level 24
Posts: 24133
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: What does LTS really mean? The 5 years question.

Post by xenopeek » Sun Apr 24, 2016 2:38 pm

killer de bug wrote:Well I may have taken a shortcut somewhere, but I'm basically right.
I checked the links and none were posted on April Fools' day. I still feel there must be a "haha, gotcha!" in here somewhere :lol: Thanks for the information, something new learned today!
Image

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: What does LTS really mean? The 5 years question.

Post by killer de bug » Sun Apr 24, 2016 2:55 pm

I remember that there was huge discussions about the kernel choice for Jessie. 3.16 was chosen because the Ubuntu kernel team was supporting it (until now). It was helping the Debian team. 3.16 is not a LTS kernel normally.

To answer your question, I think the Debian team was busy (until now) with the 3.2 kernel from Wheezy.
If it ain't broke, fix it until it is.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: What does LTS really mean? The 5 years question.

Post by Cosmo. » Sun Apr 24, 2016 5:46 pm

Mr.October wrote:Make support for everything 3 years and supply us a new version every 2 years. To me it sounds more logical, especially when the crowd can't wait to install the new version as soon as it is available.
Nice wish. But you would have to convince Mark Shuttleworth. :roll:
Or do you mean, that Mint shall limit the support time, although the Ubuntu base has (in parts) a 2 years longer support period? I don't want to imagine the discussion here, if the users complain, that the Mint parts get no longer support, although the Ubuntu base does. Don't forget, that 97 % of all packages come from Ubuntu (taken the numbers as compiled by xenopeek).

Ark987
Level 4
Level 4
Posts: 353
Joined: Tue Apr 07, 2015 4:20 am

Re: What does LTS really mean? The 5 years question.

Post by Ark987 » Sun Apr 24, 2016 5:54 pm

The situation is kind of sad, I think is better to keep upgrading to the latest Ubuntu LTS as soon as possible to avoid gambling.

Xeno's post back then was an eye opener for me, all my favorite apps for daily use are basically not supported by Cannonical, another good example of "read the small letters in the contract".

User avatar
Chiefahol
Level 4
Level 4
Posts: 473
Joined: Thu Jun 11, 2015 12:32 am

Re: What does LTS really mean? The 5 years question.

Post by Chiefahol » Sun Apr 24, 2016 9:19 pm

Pjotr wrote:
killer de bug wrote:
Pjotr wrote:On the other hand, I think that VLC certainly is high risk.
:shock:
Why?
Multimedia is widespread on the web, and VLC is also widely used on Windows. That probably makes it an attractive target.
This seems a little speculative. Are there examples of VLC being exploited? :shock:
Donate to your favourite distros!

Ark987
Level 4
Level 4
Posts: 353
Joined: Tue Apr 07, 2015 4:20 am

Re: What does LTS really mean? The 5 years question.

Post by Ark987 » Mon Apr 25, 2016 2:24 am

Chiefahol wrote:
This seems a little speculative. Are there examples of VLC being exploited? :shock:
All vulnerabilities are speculative, specially the "man-in-the-middle" when you are on a switched network. The important question is how much are you willing to risk for stability. Windows XP is still in use and there aren't any breaking news... Yet....

Just do your informed decision.

User avatar
Pjotr
Level 21
Level 21
Posts: 13722
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: What does LTS really mean? The 5 years question.

Post by Pjotr » Mon Apr 25, 2016 4:45 am

It looks like it's advisable, security-wise, to have a layered approach.

1. As already suggested, it seems wise not to keep using an LTS (be it Ubuntu or Mint) for the entire lifespan of five years. If you use it for three years maximum, then you will have no problems with the category "three years support".

The ideal upgrade moment is probably the release of the first point edition (e.g. Ubuntu 16.04.1 or Linux Mint 18.1). Because then the inevitable "teething troubles" of the new LTS should have been fixed, which should make an upgrade relatively painless.

This is probably the single most effective and most simple thing you can do, for the largest amount of packages.

2. That leaves the smallest category, namely the category "nine months support". Which packages does this concern (may differ for each *buntu version or Mint desktop version), and which of those pose a relatively high risk, at least in theory?

Note that there's also a category "unsupported", but this looks like a distorted picture: it contains for example Chrome (which is supported by Google, by means of its own repo) and some fonts. Flash Player looks unsupported from this output, but in fact it is supported.

For Xubuntu 16.04 on my netbook, this means the following:

Code: Select all

Support status summary of 'Aspire-E3-111':

You have 42 packages (2.6%) supported until januari 2017 (9m)
You have 214 packages (13.0%) supported until april 2019 (3y)
You have 1376 packages (83.7%) supported until april 2021 (5y)

You have 0 packages (0.0%) that can not/no-longer be downloaded
You have 11 packages (0.7%) that are unsupported

No longer downloadable:


Unsupported: 
cabextract firejail flashplugin-installer google-chrome-stable 
gstreamer1.0-fluendo-mp3 gstreamer1.0-plugins-ugly 
gstreamer1.0-plugins-ugly-amr libsidplay1v5 oxideqt-codecs-extra 
ttf-mscorefonts-installer ubuntu-restricted-addons 

Supported until januari 2017 (9m):
binfmt-support firefox-locale-nl freepats grub-efi-amd64-signed 
gstreamer1.0-plugins-bad gstreamer1.0-plugins-bad-faad 
gstreamer1.0-plugins-bad-videoparsers hunspell-nl hyphen-nl 
libde265-0 libgstreamer-plugins-bad1.0-0 liblsan0 libmimic0 
libmpeg2encpp-2.1-0 libmplex2-2.1-0 libofa0 libopencv-calib3d2.4v5 
libopencv-contrib2.4v5 libopencv-features2d2.4v5 libopencv-flann2.4v5 
libopencv-legacy2.4v5 libopencv-ml2.4v5 libopencv-objdetect2.4v5 
libopencv-video2.4v5 librarian0 libreoffice-help-nl 
libreoffice-l10n-nl libsoundtouch1 libspandsp2 libsrtp0 libtsan0 
libwildmidi-config libwildmidi1 libzbar0 linux-signed-generic 
linux-signed-image-4.4.0-21-generic linux-signed-image-generic 
rarian-compat shim shim-signed thunderbird-locale-nl wdutch
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

mmix
Level 2
Level 2
Posts: 82
Joined: Fri Dec 25, 2015 8:02 pm

Ubuntu LTS: many vulnerabilities despite long-term support

Post by mmix » Mon Apr 25, 2016 9:30 am

Ubuntu LTS: many vulnerabilities despite long-term support
http://www.wilderssecurity.com/threads/ ... rt.385386/

so small/compact linux distros are beautiful,
small weak point/hole.

User avatar
Crewp
Level 9
Level 9
Posts: 2517
Joined: Sat Dec 01, 2012 8:36 pm
Location: Connecticut,USA

Re: Ubuntu LTS: many vulnerabilities despite long-term support

Post by Crewp » Mon Apr 25, 2016 9:44 am

Time for Linux Mint to make LMDE the main version. :mrgreen: ( Just dreaming ) but interesting article though.
Image

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: Ubuntu LTS: many vulnerabilities despite long-term support

Post by Cosmo. » Mon Apr 25, 2016 10:25 am

The topic already exists here.

Post Reply

Return to “Chat about Linux”