Ubuntu PRO – is it much gain for security or stability?

I am asking me this question since a while. I have a Ubuntu MATE 24 VM where Ubuntu PRO is not activated. So the updater presents me a long list of updates which I am therefore missing. Recently, I looked at the descriptions which become visible when you click on one of them. And I kept finding entries like this:

Changes for libavdevice60 versions:
Installed version: 7:6.1.1-3ubuntu5
Available version: 7:6.1.1-3ubuntu5+esm7

The changelog does not contain any relevant changes.

After going through them, 1 item at a time, copying and pasting the entries into Libre Office, I had a 4 pages document full of such entries. :-))

Also, I checked out POP!_OS in a VM. This is built on Ubuntu 24.04, but with a home-grown desktop (which underwhelms me). System76.com sells hardware with POP!_OS preinstalled, but you can also download POP!_OS for free. I was intrigued to find out how you get the important Ubuntu PRO updates under POP!_OS. (If they sell hardware + own OS, there might really be liability issues if their machines are missing important security updates which are available as open-source and therefore business machines get hacked.)

After comparing versions for packages that were the same in Ubuntu 24 and POP!_OS, the answer was: You don’t get the Ubuntu PRO versions. You get the “non-PRO-versions” and there is no way to change that. All I could find on the internet was discussions on how/whether you could/should activate Ubuntu PRO in POP!_OS. (Tendency of results: You can and should not.)

So System76 considers it safe to live without the Ubuntu PRO updates. And they bet the ranch on that.

Since there are old hands and developers here: Do you guys know of any severe security or stability issue that remains unfixed without Ubuntu PRO? Can you name examples?

APPENDIX: Descriptions of Ubuntu PRO Packages

Package: libavdevice60
libavdevice60

Changes for libavdevice60 versions:
Installed version: 7:6.1.1-3ubuntu5
Available version: 7:6.1.1-3ubuntu5+esm7

The changelog does not contain any relevant changes.

Package: ffmpeg
ffmpeg

Changes for ffmpeg versions:
Installed version: 7:6.1.1-3ubuntu5
Available version: 7:6.1.1-3ubuntu5+esm7

The changelog does not contain any relevant changes.

Package: libvlc-bin
libvlc-bin

Changes for libvlc-bin versions:
Installed version: 3.0.20-3build6
Available version: 3.0.20-3ubuntu0.1~esm1

The changelog does not contain any relevant changes.

Package: libvlc5
libvlc5

Changes for libvlc5 versions:
Installed version: 3.0.20-3build6
Available version: 3.0.20-3ubuntu0.1~esm1

The changelog does not contain any relevant changes.

Package: libvlccore9
libvlccore9

Changes for libvlccore9 versions:
Installed version: 3.0.20-3build6
Available version: 3.0.20-3ubuntu0.1~esm1

The changelog does not contain any relevant changes.

Package: 7zip
7zip

Changes for 7zip versions:
Installed version: 23.01+dfsg-11
Available version: 23.01+dfsg-11ubuntu0.1~esm1

The changelog does not contain any relevant changes.

Package: imagemagick
imagemagick

Changes for imagemagick versions:
Installed version: 8:6.9.12.98+dfsg1-5.2build2
Available version: 8:6.9.12.98+dfsg1-5.2ubuntu0.1~esm6

The changelog does not contain any relevant changes.


Package: imagemagick-6-common
imagemagick-6-common

Changes for imagemagick-6-common versions:
Installed version: 8:6.9.12.98+dfsg1-5.2build2
Available version: 8:6.9.12.98+dfsg1-5.2ubuntu0.1~esm6

The changelog does not contain any relevant changes.

Package: imagemagick-6.q16
imagemagick-6.q16

Changes for imagemagick-6.q16 versions:
Installed version: 8:6.9.12.98+dfsg1-5.2build2
Available version: 8:6.9.12.98+dfsg1-5.2ubuntu0.1~esm6

The changelog does not contain any relevant changes.

Package: libavcodec60
libavcodec60

Changes for libavcodec60 versions:
Installed version: 7:6.1.1-3ubuntu5
Available version: 7:6.1.1-3ubuntu5+esm7

The changelog does not contain any relevant changes.

Package: libavfilter9
libavfilter9

Changes for libavfilter9 versions:
Installed version: 7:6.1.1-3ubuntu5
Available version: 7:6.1.1-3ubuntu5+esm7

The changelog does not contain any relevant changes.

ackage: libavformat60
libavformat60

Changes for libavformat60 versions:
Installed version: 7:6.1.1-3ubuntu5
Available version: 7:6.1.1-3ubuntu5+esm7

The changelog does not contain any relevant changes.

Package: libavutil58
libavutil58

Changes for libavutil58 versions:
Installed version: 7:6.1.1-3ubuntu5
Available version: 7:6.1.1-3ubuntu5+esm7

The changelog does not contain any relevant changes.

Package: libcjson1
libcjson1

Changes for libcjson1 versions:
Installed version: 1.7.17-1
Available version: 1.7.17-1ubuntu0.1~esm3

The changelog does not contain any relevant changes.

Package: libmagickcore-6.q16-7-extra
libmagickcore-6.q16-7-extra

Changes for libmagickcore-6.q16-7-extra versions:
Installed version: 8:6.9.12.98+dfsg1-5.2build2
Available version: 8:6.9.12.98+dfsg1-5.2ubuntu0.1~esm6

The changelog does not contain any relevant changes.

Package: libmagickcore-6.q16-7t64
libmagickcore-6.q16-7t64

Changes for libmagickcore-6.q16-7t64 versions:
Installed version: 8:6.9.12.98+dfsg1-5.2build2
Available version: 8:6.9.12.98+dfsg1-5.2ubuntu0.1~esm6

The changelog does not contain any relevant changes.

Package: libmagickwand-6.q16-7t64
libmagickwand-6.q16-7t64

Changes for libmagickwand-6.q16-7t64 versions:
Installed version: 8:6.9.12.98+dfsg1-5.2build2
Available version: 8:6.9.12.98+dfsg1-5.2ubuntu0.1~esm6

The changelog does not contain any relevant changes.

Please use http://launchpad.net/ubuntu/+source/imagemagick/8%3A6.9.12.98+dfsg1-5.2build2/+changelog

Package: libpostproc57
libpostproc57

Changes for libpostproc57 versions:
Installed version: 7:6.1.1-3ubuntu5
Available version: 7:6.1.1-3ubuntu5+esm7

The changelog does not contain any relevant changes.

Please use http://launchpad.net/ubuntu/+source/ffmpeg/7%3A6.1.1-3ubuntu5/+changelog

Package: libswresample4
libswresample4

Changes for libswresample4 versions:
Installed version: 7:6.1.1-3ubuntu5
Available version: 7:6.1.1-3ubuntu5+esm7

The changelog does not contain any relevant changes.

Please use http://launchpad.net/ubuntu/+source/ffmpeg/7%3A6.1.1-3ubuntu5/+changelog

Package: libswscale7
libswscale7

Changes for libswscale7 versions:
Installed version: 7:6.1.1-3ubuntu5
Available version: 7:6.1.1-3ubuntu5+esm7

The changelog does not contain any relevant changes.

Please use http://launchpad.net/ubuntu/+source/ffmpeg/7%3A6.1.1-3ubuntu5/+changelog

Package: libzvbi-common
libzvbi-common

Changes for libzvbi-common versions:
Installed version: 0.2.42-2
Available version: 0.2.42-2ubuntu0.24.04.1~esm1

The changelog does not contain any relevant changes.

Please use http://launchpad.net/ubuntu/+source/zvbi/0.2.42-2/+changelog

Package: libzvbi0t64
libzvbi0t64

Changes for libzvbi0t64 versions:
Installed version: 0.2.42-2
Available version: 0.2.42-2ubuntu0.24.04.1~esm1

The changelog does not contain any relevant changes.

Please use http://launchpad.net/ubuntu/+source/zvbi/0.2.42-2/+changelog

The Pro updates are not for Ubuntu based systems like Pop OS, and whilst some may actually work; as Pop OS isn't using Ubuntu kernels, others can create other problems that cause crashes, or could open worse security holes than the Pro update fixed, a flaw that won't exist on Ubuntu systems.

The Pro fixes will work with Ubuntu's official flavors though, but Ubuntu based systems are a different system (though this will be package specific; flavors installs can use different packages to what was installed on the targeted Ubuntu Desktop/Server system - ensure you read all security notices that are published for clear clues!)

Ubuntu Pro options should not be used with Ubuntu based system, unless you audit yourself what each patch does, and if it'll work or not work without creating issues. System 76 don't do this, thus they don't recommend using Pro or ESM (use Ubuntu if you want those).

Whether or not Ubuntu Pro benefits will be of benefit to you is a personal decision. Most fixes I've explored are for servers and my own desktop usage won't get much benefit. For those fixes that are desktop based - I've still not chosen to grab them, as I don't stick on the LTS release on many of my desktops anyway, thus ESM/Pro isn't an option open for me on some boxes. FYI: I am a Ubuntu member, thus have 50 tokens for Pro/ESM, so shortage of tokens isn't entering my own decision either.

Your usage will decide whether or not you get benefit as to the added security.

I personally don't see added stability though and aren't sure what you are referring to there. Most stability choices I see are made by us, and aren't related to ESM or Pro being enabled.

( I tend to not use releases once they EOSS (esp. on desktop systems); ESM sure makes sense to me there for those that do. ESM & Pro are more or less bundled in recent releases, but differences are release specific. )

@guiverc: Thank you, that answers the question. So with the insider knowledge of a developer and plenty of licenses, you do NOT use Ubuntu Pro in most machines, but you keep your OS version current. And you seem to feel safe that way. On the other hand, if somebody wants to hold on to e.g. 22.04, Pro becomes pretty much a must-have. (And for 24.04, there might be some benefits.)

As for Pop!_OS, let me put it this way: I think Ubuntu also can not just put any new Debian-patch into their repos. They must decide on a case-by-case basis, whether to (1) use it as is, or (2) modify it first, or (3) live without it. Pretty much the same goes for Pop!_OS towards Ubuntu. And for those PRO-updates which I could check, they decided for variant (3). You have a point though when you say that something especially adapted for Ubuntu might do more harm than good in their environment and so it is not clear whether the PRO updates are unnecessary or unusable to them.

I've been using Debian since the 90s, and my servers are still using Debian, so I have no Ubuntu Pro option for those. I didn't start using Ubuntu until 2010, and it still is largely a desktop system for me.

Also please note I'm not a developer; just a Ubuntu Member, thus why I get the extra tokens. My membership was granted mostly for Ubuntu News work; so nothing at all to do with development.

I do not see the security patches as coming from Debian, with patches coming from the actual upstream projects directly; after all not all of Ubuntu code comes from Debian; my current resolute box having quite a number of packages that are newer than my Debian forky box (though as Debian import is currently frozen in Ubuntu development, they'll diverge more in the next few weeks). Kernel patches are mostly version based (backporting beyond version intended takes time & skill to assess effects). I'm using 6.19 currently (Ubuntu), but I've seen the 7.0 sitting in proposed for days now; Debian only rather recently got 6.19 where here in Ubuntu here it's about to disappear. It's rare that Debian has newer kernels than Ubuntu; as kernel code is not imported from Debian.

Hi. Pro is pretty cool for UM-- thank God it's not Ubuntu-based, but an official flavor! I have Jammy and am going to keep my computer the way it is until 2032 (security updates, so all should be good). I have everything set the way I want--couple of external drives, games, and stuff.