Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.52-051552-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
9 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
See part highlighted in red.
ESM stand for Expanded Security Maintenance.
If you use the GUI, there is an extra Ubunto Pro tab in the Software & Updates Control Panel
- Ubuntu Pro Control Panel tab
- ubuntu-pro.png (130.88 KiB) Viewed 301 times
The purpose is to provide certain package fixes faster and for longer. OK...
Again, it's free for personal use and you can use it on 5 machines.
If you follow the link from the Ubunto Pro Control Panel tab, you are led to the browser where you can log with your Ubuntu Account and activate the your Ubunto Pro plan and obtain your token.
- Web Ubuntu Pro Dashboard
- ubuntu-pro-dashboard.png (72.25 KiB) Viewed 301 times
Once activated on your machine, sudo apt update && sudo apt upgrade will also install the "esm" updates.
The free Ubuntu Pro does not come with everything present in the $$$ commercial Ubuntu Pro. If you want to deliver an H3 or H3+ solution to corporate account who are serious about security, health companies or government agencies, they will probably asked for FIPS-140-2 (or even 3) certification of your platform. That's where you subscribe ($$$) to the full Ubuntu Pro version. The advertising is present in the Compliance & Hardening section of the Ubunto Pro Control Panel tab.
Using apt-changelog you can learn what was changed in the apt packages.
Visiting the "Museum of Horrors" for instance:
apt changelog linux-modules-5.15.0-67-generic
apt changelog intel-microcode
These are full of CVE as well as INTEL-SA fixes with the latter. These are usually the ones where the description contains something like "...the attacker could escalate privileges..." or similar.
For instance, googling or binging for "INTEL-SA-00738" leads you quickly to https://www.intel.com/content/www/us/en ... 00738.html which contains: <<...A potential security vulnerability in some Intel® Xeon® Processors with Intel® Software Guard Extensions (SGX) may allow escalation of privilege. Intel is releasing firmware updates to mitigate this potential vulnerability...>> OK, it's only for certain Xeon CPU, so you are unconcerned with your H3 or H3+. But INTEL can't stop to fix security issues with SGX
Unfortunately, for the Ubuntu Pro packages coming from these PPA's:
https://esm.ubuntu.com/apps/ubuntu jammy-apps-security
https://esm.ubuntu.com/apps/ubuntu jammy-apps-updates
https://esm.ubuntu.com/infra/ubuntu jammy-infra-security
https://esm.ubuntu.com/infra/ubuntu jammy-infra-updates
No such luck. Example:
domih@ripper:~$ apt changelog dcmtk
E: Failed to fetch changelog:/dcmtk.changelog Changelog unavailable for dcmtk=3.6.6-5ubuntu0.1~esm1
domih@ripper:~$ apt changelog imagemagick
E: Failed to fetch changelog:/imagemagick.changelog Changelog unavailable for imagemagick=8:6.9.11.60+dfsg-1.3ubuntu0.22.04.1+esm1
So you get additional fixes faster(*) and for longer(**) but you do not know what was fixed at this point
As the web page says (see above) the esm-apps is a beta.
(*) https://ubuntu.com/pro says "Reduce your average CVE exposure time from 98 days to 1 day". This page provide all the details. https://ubuntu.com/pricing/pro is as clear as a Microsoft page detailing all the Windows Server options. In other words we are dealing with "marker segmentation" on top of free OS with a free subscription.
(**) You get 10 years of support instead of 5.
What is included into the supported packages depends on your subscription level with no subscription meaning 5 years of LTS support and "best effort".
To conclude, either Canonical does this to advertise Ubuntu Pro to the masses, either Canonical is testing the waters and would like in the future create an intermediate non-free tier betwen Ubuntu (for the low-life, meaning us) and the commercial Ubuntu Pro (mostly corporation servers). This could be a kind of esm-apps++ tier (named "Professional" ?) at low-price with a coupon for the populace who needs the professional label.