What does LTS really mean? The 5 years question.

[Pjotr]

As a result of this discussion I've added the following caution to my website:
https://sites.google.com/site/easylinux ... hree-years
(item 14, right column)

That should provide a simple workaround for the "three years" category.

Now as to the "nine months" category: how can that be tackled best? What are the riskiest packages among those listed?

Another thought: upgrading your Mint "in place", i.e. within the same series (for example from 17.2 to 17.3), might be an easy way to upgrade at least some of the "nine months" packages. Thus making them secure again.

[Mr.October]

Wow, I did not expect this when I wrote my story last night. I did expect more complains than what I received so far. Yes, Killer de bug, you are right, for companies a 5 year support would be ideal, I fully agree. But looking around here on the forums, and it's not different on forums of other distro's, people always want the latest and greatest of everything.
On one side they want a rock solid distro but when they have one they want the latest updates which won't be coming to this version of their distro because it's not in the plans, so as soon as a new version of the distro is released they forget about the old one and jump into the new one which is up to date (well sort of) regarding the user programs giving the latest (and greatest?) of them.

Guys, be honest and write here when you update from one LTS version to the next one. When will you forget about 17.x and install 18?
I normally would do this one or two weeks after it is released. That way the first errors after release are taken out and I know it is a good distro.
How about you all?

[killer de bug]

But looking around here on the forums, and it's not different on forums of other distro's, people always want the latest and greatest of everything.

I agree with you. But companies are the way of making business with Linux. Canonical needs this market and hence the 5 years support.

[Mr.October]

But looking around here on the forums, and it's not different on forums of other distro's, people always want the latest and greatest of everything.

I agree with you. But companies are the way of making business with Linux. Canonical needs this market and hence the 5 years support.

Yes, I get that, I also wrote it. But when programs are not supported the full 5 years why should companies still want them? Isn't it better to upgrade to a new version of the distro after let's say 3 years and have support again for the next 3 years?

[Ark987]

Canonical needs this market and hence the 5 years support.

For the cloud images, hence only supporting the core, bare metal, just plain old school command line utilities and some other commodities not related to desktop

[Cosmo.]

@Pjotr:
You wrote in your article, that a "smaller part comes from universe and multiverse. That is actually wrong. If I open synaptic in my still rather fresh installation of 16.04 I get the following (rounded), if I filter for sources:
universe: 110.000
main: 15.000
But there is something strange: If I filter for all, I get 54.000. What, in universe are more packages than in total, how can that? I think there is a bug in the synaptic version of 16.04. If I compare this with my Mint installation, I get for all: 48.000, for main 5.000 and for universe 33.000. The differences between Mint (U 14.04) and 16.04 are not may concern, they are explainable as the differences between 2 different OS-versions. But in Mint's synaptic the number for universe does not exceed the number for all, as it does in 16.04 and what is absolutely impossible. Conclusion: Bug in the new synaptic version (hopefully Ubuntu solves it in between the next 3 years ).
So let us count the packages in 16.04 with this method: all: 54.000, main: 15.000, difference: 39.000; you can forget the remaining repositories at the moment, so that there are indeed far more packages in universe than in main, not only a "smaller part".

[Cosmo.]

Now as to the "nine months" category: how can that be tackled best?

Short answer: Not at all. Ubuntu made a mistake and only they can resolve it. (And don't forget the not-supported).

In more detail:
When I came at fist to the introducing article those packages, which get shown as unsupported or with 9 months support, came as the real problem in my mind. How can it be, that an OS gets offered with 5 years support, when a part of the packages are after 9 months dead in the meaning, that nobody cares about stability and safety? And some other packages without support at all? And that even in a plain vanilla Ubuntu installation a (small) number of those packages can be found?

It is obvious, that I cannot give the answer, but I have the following suspicion: As I wrote some posts above, there was a bug in the ubuntu support tool; probably it did never work since 5 or more years. I had linked a rather new bug report, but I found also others, one from 2011.
IIRC the change for the support time for LTS releases had at first been done for 12.04. That means, that at least the 3 years problem did not exist in older LTS-releases. But as the support tool never worked, nobody was able to use it and consequently nobody was able to detect the problem, that Ubuntu announced 5 years support period, but actually provided this only for the minority of the packages. Old word says: What I do not know will not hurt me.

This situation has changed with the fixed tool in Ubuntu 16.04. And consequently the investigations could only start now. Perhaps we have here a very new kind of bug: a decision bug. For a sane brain it should be unthinkable to limit the support time of a part of the packages to zero or 9 months and announcing at the same time a 5 years support period. Somebody must have done a big mistake.

Well, my general opinion is, that humans make errors and only humans, who do nothing do no errors - or at least no visible errors. So I give a chance, that this error gets corrected in the near future. If this should not happen, I come back to my short answer. Conclusions would have to be the next step.

The article points in the last paragraph especially to server systems. To my knowledge server versions are the segment, where Canonical earns money and as we know, Linux is in the server segment a very important OS. I hope, that at the moment, where the paying customers for Ubuntu-servers get aware about the problem, Ubuntu / Canonical will be forced to correct this mistake. Otherwise the paying customers will probably do what the article suggests: They take another server OS.

[z31fanatic]

LTS = Lie That Sells

[Joss]

All this is very disturbing.
Repositories are one of the pillars in the Linux safety stock (myth?) along with root access.

[Pjotr]

Perhaps we have here a very new kind of bug: a decision bug. For a sane brain it should be unthinkable to limit the support time of a part of the packages to zero or 9 months and announcing at the same time a 5 years support period. Somebody must have done a big mistake.

Well, my general opinion is, that humans make errors and only humans, who do nothing do no errors - or at least no visible errors. So I give a chance, that this error gets corrected in the near future. If this should not happen, I come back to my short answer. Conclusions would have to be the next step.

Agreed. At least the default unchanged "vanilla" installation, without third-party software and such, should be supported for five years.

That said: I haven't checked a really vanilla installation yet, namely one in which I haven't installed third-party codecs etc. (the stuff you get when you tick that particular checkbox in the installer).

By the way: I'll change my text about the proportion of the Universe and Multiverse packages. I meant their relative presence in a default installation, but indeed the total installable amount is much higher.

To all those who read this discussion: in the meantime I advise people to refrain from instantaneous action. In real life, Ubuntu LTS and Linux Mint have proven to be very secure operating systems. And that for years. The current problem is a serious one, but there's no need for drastic measures just yet.

[Cosmo.]

At least the default unchanged "vanilla" installation, without third-party software and such, should be supported for five years.

To make my point clearer: I used the hint to the vanilla installation only for the purpose to make clear, that even in this case the claim of 5 years support is not true.

I actually take the stance, that all, what gets offered in the official repository, has to get the same and full support time, that the distributor announces without the least restriction. This is especially true for Ubuntu, as they offer by default only the software center as package management GUI, where the user does not get the slightest hint, that he might install software (without PPA), that reduces the support time for the complete system up to zero in the worst case. The term repository does not exist in the software center, so that no user gets only the idea, that the offered packages (inclusive that which are set as recommended) reduce the support time for the system in total.

Further more, only somebody coming from a different star can assume, that a user uses an OS for 5 years without installing anything, what does not comes pre-installed. If the users gets an OS with a built-in software center, he will supposedly install the one or other piece of software.

If you buy a car and the manufacturer gives you 2 (for some makers 5) years warranty, they also tell you (and have to tell you), that there exceptions: E. g. tires, lamps or windshield wipers. No one would accept (and at least here in Germany also no court), if they would later tell the customer, that this or that is also excluded and that it is the duty of the car-owner to investigate in detail into that question.

Nobody sells for a desktop license (donations are something else), so Ubuntu / Canonical cannot be judged about that question. But if this should not get changed, they are in risk, to loose their reputation as one of the leading Linux desktop distributors.

To all those who read this discussion: in the meantime I advise people not to panic. .... The current problem is a serious one, but there's no need for drastic measures yet.

I second this. Especially I do not share such remarks as Lie That Sells. LTS is a fact. It may be, that out of any reason - I had described one, that I can think about and appears to be logical - there was a human made mistake. Those who have Mint17.x have some packages, that have lost support 15 months ago, for LM 13 users the situations is even worse. But until 2 days ago nobody was aware about this - at least this appears for me, if I read the reactions here. Now that we know about the problem does not mean, that anything would have been changed in the last days. We have lived with this situation - probably because of the low market share of Linux - and panic reactions will not make things better.

That does not mean, that I will switch back to "business as usual"; I will certainly have an eye on that problem and wait, what Ubuntu will do. I hope, they will, but if not, I will draw my consequences. LMDE is definitely an option.

[z31fanatic]

I second this. Especially I do not share such remarks as Lie That Sells. LTS is a fact.

It was a joke. Lighten up. People on here are too uptight.

[Cosmo.]

It was a joke. Lighten up. People on here are too uptight.

Some people do read. I "read" also smilies, and the smilie I saw didn't appear as a joke.

[Pjotr]

OK, there's some important recent information about ubuntu-support-status, from Marc Deslauriers, an Ubuntu developer employed at Canonical: https://lists.ubuntu.com/archives/ubunt ... 16477.html

Marc Deslauriers also filed this bug report on it:
https://bugs.launchpad.net/ubuntu/+sour ... ug/1574670

Apparently the tool ubuntu-support-status returns inaccurate information and should be rewritten. This might imply that the current problem is (much?) less serious than we were thinking.

Nevertheless, more and (this time) accurate information about support terms is important. Canonical has a job here. They can't just remove the tool and leave it at that.

[Cosmo.]

Apparently the tool ubuntu-support-status returns inaccurate information and should be rewritten. This might imply that the current problem is (much?) less serious than we were thinking.

It doesn't seem to be so simple. And I cannot follow Marc's conclusion, that there is something wrong with the support tool. He writes himself, that apt show gives the same info about the (far too short) support time. I can reproduce it on my 16.04 installation and checked it for synaptic and rarian-compat (gets installed with synaptic): 3 years respectively 9 months following the apt output. I cannot see, where the support tool does a mistake.

Regarding the message regarding nginx: I cannot reproduce it at all.
apt show nginx produces for me: 5 years. This package is not installed by default, so ubuntu-support-status doesn't show it at all. If I install it (with nginx-common and nginx-core) the support tool gives me for all 3 packages 5 years (ubuntu-support-status --show all | grep nginx).

So where is the mistake really? The message by Marc does not change the least about the problem.

[Pjotr]

So where is the mistake really? The message by Marc does not change the least about the problem.

The real problem is apparently in the "supported" tag of the packages themselves. That's why apt-show gives the same output as ubuntu-support-status.

So either those tags should be corrected (best solution), or the tool should automatically correct those wrong tags in its output.

[Cosmo.]

The real problem is apparently in the "supported" tag of the packages themselves.

Once again: Which wrong tags? As described, what Marc wrote is not reproducible here. If he gets 9 months for nginx, than this seems for me to be a local problem.

And there is at now no information, that the tags, which give the shorter values for synaptic (as example) are based on any wrong tag (despite on a wrong decision).

BTW: The fact, that Marc doesn't seem to see something wrong about the fact, that a 9 months support period does exist at all in a LTS-release (he complains, that he sees this for main repo package), leads me merely to the suspicion, that those 9 months packages do exist with this short tag by design, or by will. And that it is the real problem.

[Ark987]

The "wrong tags" appears to be a metadata in the .deb/whatever packages which seems to be no longer maintained. This also raise another concern,

...hasn't been used or updated since Ubuntu 10.04 LTS...

Does Canonical maintain their own tools? broken since April 2010...

The are few parts of the puzzle that could help to clarify their own policy, which for them is normal:

https://wiki.ubuntu.com/SecurityTeam/FAQ

What software is officially supported by the Ubuntu Security team?
Ubuntu is currently divided into four components: main, restricted, universe and multiverse. All binary packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while binary packages in universe and multiverse are supported by the Ubuntu community.

https://bugs.launchpad.net/ubuntu/+sour ... ug/1574670

It also uses the term "unsupported" instead of "community-supported" which doesn't accurately portray the status of universe packages.
This tool should be rewritten to return more accurate results, or simply removed completely.

https://www.reddit.com/r/linux/comments ... es/d2hmbd8

In cases 1 and 2, Canonical pays people to monitor the actual upstream developer releases and get those security fixes into main/restricted. Canonical provides security updates through the release lifetime, which is usually for 9 months, but in LTS it's 5 years.

In cases 3 and 4, Canonical does not do this. Instead there is a group of volunteers called MOTU SWAT that fill in. As they are volunteers, security updates are entirely a question of effort and interest.

Importantly: this is true even well before 9 months. There is nobody who is on the payroll to do security updates to any universe package in Ubuntu at any time. All updates come from "viewers like you". But, effort and interest is likely to be a lot higher when a release is current then when it is old.

The best that we can do as users is to understand what an LTS really is. From my point of view it seems like Canonical just leave the heavy lifting in the hands of the community. If there is anything to improve is to increase the community manpower and participation, or hope that Canonical introduce more packages into the Main repo.

[The Old Timer]

Is there a terminal command that can be ran to check what packages are still supported and what packages are no longer supported.

Linux Mint Mate 17.1

Thanks

[xenopeek]

I've moved your post here from Ubuntu 16.04 has potentially serious privacy flaw !. Let's stay on topic in that other topic...

Anyway, Pjotr has already provided information in an earlier comment here that the command to check support status of packages is no longer useful and will be removed from Ubuntu: viewtopic.php?f=61&t=220892&start=40#p1160445