Ubuntu security updates are a confusing mess

I’ve read this article several times now, and I’m still not entirely sure how to properly summarise the main points without leaving important details out. If you really boil it down to the very bare essentials, which packages get updates on which Ubuntu release is a confusing mess that most normal users will never be able to understand, potentially leaving them vulnerable to security flaws that have already been widely patched and are available on Ubuntu – just not your specific Ubuntu version, your specific customer type, or the specific package type in question.

So, in the case of McPhail here, they needed a patched version of tomcat 9 for Ubuntu 22.04. This patched version was available for Ubuntu 18.04 users because not only is 18.04 an LTS release – meaning five years of support – Canonical also offers a commercial Extended Security Maintenance (ESM) subscription for 18.04, so if you’re paying for that, you get the patched tomcat9. On Ubuntu 20.04, another LTS release, the patched version of tomcat9 is available for everyone, but for the version McPhail is running, the newer LTS release 22.04, it’s only available for Ubuntu Pro subscribers (24.04 is not affected, so not relevant for this discussion). Intuitively, this doesn’t make any sense.

The main cause of the weird discrepancy between 20.04 and 22.04 is that Canonical’s LTS support only covers the packages in main (about 10% of the total amount of packages), whereas tomcat9 lives in universe (90% of packages). LTS packages in universe are only supported on a “best effort” basis, and one of the ways a patched universe package can be made available to non-paying LTS users is if it is inhereted from Debian, which happens to be the case for tomcat9 in 20.04, while in 22.04, it’s considered part of an Ubuntu Pro subscription.

So, there’s a fixed package, but 22.04 LTS users, who may expect LTS to truly mean LTS, don’t get the patched version that exists and is ready to go without issues. Wild.

This is incredibly confusing, and would make me run for the Debian hills before my next reboot. I understand maintaining packages is a difficult, thankless task, but the nebulousness here is entirely of Canonical’s own making, and it’s without a doubt leaving users vulnerable who fully expect to be safe and all patched up because they’re using an LTS release.