Ubuntu Pro: How does the updating process work?

Question

Ubuntu and its flavors (Lubuntu, etc.) now have a Pro feature (free for personal use) that provide security patches for basically all common software (over 20,000 packages), for several years in long-term support releases.

I’m not sure how it works though. It sounds like there’s a team of developers paid by Canonical that will try to fix security bugs as soon as possible, providing patches faster than the original software developers or the original repo maintainers. If so, then Ubuntu might have become significantly more secure than other free distros.

However it all depends on how this Pro feature actually works. For example, if the Canonical team just waited for the official patches from the original developers, then the overall security would be equivalent to that of a rolling release distro (basically achieving rolling-release security on a fixed-release LTS distro).

So the question is: how does this Pro feature work in Ubuntu, and how does it compare with the security of other free distributions, in terms of security updates?

Answer 1

It sounds like there’s a team of developers paid by Canonical that will try to fix security bugs as soon as possible, providing patches faster than the original software developers or the original repo maintainers.

There is a team of professional security engineers paid by Canonical on the Ubuntu Security Team.

Among many other things, that team handles both public and private CVE reports, and handles the directly-related patching and testing.

• Security-related bugs (including CVEs) are triaged and prioritized by the Ubuntu Security Team.

  However, the implicit assumption that ALL security-related bugs must be high-priority is false. Many are not: Hard to implement, require special conditions, limited effectiveness, etc. Ubuntu does not promise that lower-priority security issues will get addressed "as soon as possible." Some may await the next release of Ubuntu.

• The usual workflow is to use the upstream-provided patches, which are typically included with many CVEs. Then the patch must be tested by the Team. The Team can create their own patches, but that effort tends to consume a lot of resources so it's not their first choice.

• Critical security CVEs may sometimes be shared confidentially (delayed public disclosure) among many organizations in the cases where a coordinated response will be more effective.

  Ubuntu does not promise to break confidentiality by releasing patches earlier.

All of these activities are in line with the best practices of peer organizations.

Ubuntu promises to be stable and secure, as do other distros with professional security engineers on staff. Ubuntu does not promise to be "significantly more secure" (whatever that might mean).