Ubuntu Archive

Ubuntu security updates are a confusing mess

I’ve read this article several times now, and I’m still not entirely sure how to properly summarise the main points without leaving important details out. If you really boil it down to the very bare essentials, which packages get updates on which Ubuntu release is a confusing mess that most normal users will never be able to understand, potentially leaving them vulnerable to security flaws that have already been widely patched and are available on Ubuntu – just not your specific Ubuntu version, your specific customer type, or the specific package type in question. So, in the case of McPhail here, they needed a patched version of tomcat 9 for Ubuntu 22.04. This patched version was available for Ubuntu 18.04 users because not only is 18.04 an LTS release – meaning five years of support – Canonical also offers a commercial Extended Security Maintenance (ESM) subscription for 18.04, so if you’re paying for that, you get the patched tomcat9. On Ubuntu 20.04, another LTS release, the patched version of tomcat9 is available for everyone, but for the version McPhail is running, the newer LTS release 22.04, it’s only available for Ubuntu Pro subscribers (24.04 is not affected, so not relevant for this discussion). Intuitively, this doesn’t make any sense. The main cause of the weird discrepancy between 20.04 and 22.04 is that Canonical’s LTS support only covers the packages in main (about 10% of the total amount of packages), whereas tomcat9 lives in universe (90% of packages). LTS packages in universe are only supported on a “best effort” basis, and one of the ways a patched universe package can be made available to non-paying LTS users is if it is inhereted from Debian, which happens to be the case for tomcat9 in 20.04, while in 22.04, it’s considered part of an Ubuntu Pro subscription. So, there’s a fixed package, but 22.04 LTS users, who may expect LTS to truly mean LTS, don’t get the patched version that exists and is ready to go without issues. Wild. This is incredibly confusing, and would make me run for the Debian hills before my next reboot. I understand maintaining packages is a difficult, thankless task, but the nebulousness here is entirely of Canonical’s own making, and it’s without a doubt leaving users vulnerable who fully expect to be safe and all patched up because they’re using an LTS release.

“I fixed a 6-year-old .deb installation bug in Ubuntu MATE and Xubuntu”

I love a good bug hunting story, and this one is right up there as a great one. Way back in 2018, Doug Brown discovered that after installing Ubuntu MATE 18.04, if he launched Firefox from the icon in the default panel arrangement to install Chrome from the official Chrome website, the process was broken. After downloading the .deb and double-clicking it, GDebi would appear, but after clicking “Install”, nothing happened. What was supposed to happen is that after clicking “Install”, an authentication dialog should appear where you enter your root password, courtesy of gksu. However, this dialog did not appear, and without thinking too much of it, Brown shrugged and just installed the downloaded Chrome .deb through the terminal, which worked just fine. While he didn’t look any deeper into the cause of the issue, he did note that as the years and new Ubuntu releases progressed, the bug would still be there, all the way up until the most recent release. Finally, 2.5 years ago, he decided to dive into the bug. It turned out there were lots of reports about this issue, but nobody stepped up to fix it. While workarounds were made available through wrapper scripts, and deeper investigations into the cause revealed helpful information. The actual error message was a doozy: “Refusing to render service to dead parents”, which is quite metal and a little disturbing. In summary, the problem was that GDebi was using execv() to replace itself with an instance of pkexec, which was intended to bring up an authentication dialog and then allow GDebi to run as a superuser. pkexec didn’t like this arrangement, because it wants to have a parent process other than init. Alkis mentioned that you could recreate the problematic scenario in a terminal window by running gdebi-gtk with setsid to run it in a new session. ↫ Doug Brown Backing up a few steps, if the name “gksu” rings a bell for you, you might have already figured out where the problem most likely originated from. Right around that time, 2018, Ubuntu switched to using PolicyKit instead, and gksu was removed from Ubuntu. GDebi was patched to work with PolicyKit instead, and this was what introduced the actual bug. Sadly, despite having a clear idea of the origin of the bug, as well as where to look to actually fix it, nobody picked it up. It sat there for years, causing problems for users, without a fix in sight. Brown was motivated enough to fix it, submitted the patch, but after receiving word it would be looked at within a few days, he never heard anything back for years, not helped by the fact that GDebi has long been unmaintained. It wasn’t until very recently that he decided to go back again, and this time, after filling out additional information required for a patch for an unmaintained package, it was picked up, and will become available in the next Ubuntu release (and will most likely be backported, too). Brown further explains why it took so long for the bug to be definitely fixed. Not only is GDebi unmaintained, the bug also only manifested itself when launching Firefox from the panel icon – it did not manifest when launching Firefox from the MATE menu, so a lot of people never experienced it. On top of that, as we all sadly know, Ubuntu replaced the Firefox .deb package with the SNAP version, which also doesn’t trigger the bug. It’s a long story for sure, but a very interesting one. It shows how sometimes, the stars just align to make sure a bug does not get fixed, even if everyone involved knows how to fix it, and even if fixes have been submitted. Sometimes, things just compound to cause a bug to fall through the cracks.

Ubuntu 24.10 will default NVIDIA users to Wayland

The transition to Wayland is nearing completion for most desktop Linux users. The most popular desktop Linux distribution in the world, Ubuntu, has made the call and is switching its NVIDIA users over to Wayland by default in the upcoming release of Ubuntu 24.10. The proprietary NVIDIA graphics driver has been the hold-out on Ubuntu in sticking to the GNOME X.Org session out-of-the-box rather than Wayland as has been the default for the past several releases when using other GPUs/drivers. But for Ubuntu 24.10, the plan is to cross that threshold for NVIDIA now that their official driver has much better Wayland support and has matured into great shape. Particularly with the upcoming NVIDIA R555 driver reaching stable very soon, the Wayland support is in great shape with features like explicit sync ready to use. ↫ Michael Larabel This is great news for the Linux desktop, as having such a popular Linux distribution defaulting the users of the most popular graphics card brand to X.org created a major holdout. None of this obviously means that Wayland is perfect or that all use cases are covered – accessibility is an important use case where tooling simply hasn’t been optimised yet for Wayland, but work is underway – and for those of us who prefer X.org for a variety of reasons, there are still countless distributions offering it as a fallback or as the default option.

Canonical and DeepComputing announce new RISC-V laptop shipping with Ubuntu

Speaking of PCs that don’t use x86 chips, Canonical and DeepComputing today announced a new RISC-V laptop running Ubuntu, available for pre-order in a few days. It’s the successor to the DC-ROMA, which shipped last year. Adding to a long list of firsts, the new DC-ROMA laptop II is the first to feature SpacemiT’s SoC K1 – with its 8-cores RISC-V CPU running at up to 2.0GHz with 16GB of memory. This significantly doubled its overall performance and energy efficiency over the previous generation’s 4-cores SoC running at 1.5GHz. Moreover, SpacemiT’s SoC K1 is also the world’s first SoC to support RISC-V high performance computing RVA 22 Profile RVV 1.0 with 256 bit width, and to have powerful AI capabilities with its customised matrix operation instruction based on IME Group design principle!  This second-generation DC-ROMA RISC-V laptop also features an all-metal casing making it more durable, as well as improving heat dissipation and more on its premium class look and feel compared to previous generation. ↫ Canonical’s blog The DC-ROMA II is clearly aimed at developers, as it has what is essentially a GeekPort on the side of the laptop, to aid in porting and debugging software. Aside from that and the RISC-V processor, it’s a rather mid-range kind of device, and no pricing has been published yet so I’m not sure if this is something I could afford for an OSNews review. Once the preorders go live in a few days, we’ll know more. If you’d like to see this RISC-V laptop make an appearance on OSNews, let me know, and I’ll see what I can do.

Canonical releases Real-time Ubuntu 24.04 LTS

Real-time Ubuntu 24.04 LTS integrates the PREEMPT_RT patch on AMD64 and ARM64. As the de-facto Linux real-time implementation, PREEMPT_RT increases predictability by modifying the existing kernel code. With time-bound responses for mission-critical latency requirements, Real-time Ubuntu 24.04 LTS provides deterministic processing to the most demanding workloads across industries, from manufacturing and automotive to the critical infrastructure of telco operators. ↫ Edoardo Barbieri at the Ubuntu blog If you need it, you need it, but it’s exclusive to Ubuntu Pro. Luckily Pro is free for personal use, so if you really need Ubuntu but with a real-time kernel – based on Linux 6.8 – there’s nothing stopping you.

Ubuntu 24.04 LTS released

It wasn’t too long ago that new Ubuntu releases were major happenings in the Linux world, as it was the default Linux distribution for many, both old and newcomers, in the desktop Linux space. These days, Ubuntu release hit a little different, with Canonical’s focus having shifted much more to the enterprise, and several aspects of the distribution being decidedly unpopular, like the snap package management system. Still, Ubuntu is probably still one of the most popular, if not the most popular, distributions out there, so any new release, like today’s Ubuntu 24.0 LTS, is still a big deal. Ubuntu Desktop brings the Subiquity installer to an LTS for the first time. In addition to a refreshed user experience and a minimal install by default, the installer now includes experimental support for ZFS and TPM-based full disk encryption and the ability to import auto-install configurations. Post install, users will be greeted with the latest GNOME 46 alongside a new App Center and firmware-updater. Netplan is now the default for networking configuration and supports bidirectionality with NetworkManager. ↫ Utkarsh Gupta on ubuntu-announce Of course, all the various other Ubuntu editions have also seen new releases: Edubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon, Ubuntu Kylin, Ubuntu MATE, Ubuntu Studio, Ubuntu Unity, and Xubuntu. Yes, that’s a long list. They all mostly share the same improvements as Ubuntu’s main course, but paired with the latest versions of the respective desktop environments instead. Except for Kubuntu. Unlike just about any other major distribution released over the last few months, such as Fedora 40 only a few days ago, Kubuntu does not ship with the new KDE Plasma 6, opting for Plasma 5.27.11 instead. There simply wasn’t enough time between the release of Plasma 6 and the Ubuntu feature freeze, so they made the – in my opinion – understandable call to stick to Plasma 5 for now, moving Plasma 6 to the next release later this year.

Ubuntu 24.04 supports easy installation of OpenZFS root file-system with encryption

So with Ubuntu 24.04 LTS is the ability to continue with a standard EXT4 file-system install, an encrypted file-system using LVM, or using OpenZFS with/without encryption. Ubuntu 24.04 LTS also has the ability to enjoy hardware-backed full-disk encryption with TPM as another new experimental option. Or, of course, the Ubuntu desktop installer continues supporting manual (custom) partitioning as well. ↫ Michael Larabel I just use whatever Btrfs setup Fedora automatically recommends when I let it take over a disk – file systems for desktops seems a bit like a solved problem to me personally – but I’m still curious what benefits, for instance, an OpenZFS setup could bring to a desktop user compared to Btrfs or a basic Ext4 setup. Why should a desktop user use OpenZFS?

Ubuntu will manually review Snap Store after crypto wallet scams

The Snap Store, where containerized Snap apps are distributed for Ubuntu’s Linux distribution, has been attacked for months by fake crypto wallet uploads that seek to steal users’ currencies. As a result, engineers at Ubuntu’s parent firm are now manually reviewing apps uploaded to the store before they are available. The move follows weeks of reporting by Alan Pope, a former Canonical/Ubuntu staffer on the Snapcraft team, who is still very active in the ecosystem. In February, Pope blogged about how one bitcoin investor lost nine bitcoins (about $490,000 at the time) by using an “Exodus Wallet” app from the Snap store. Exodus is a known cryptocurrency wallet, but this wallet was not from that entity. As detailed by one user wondering what happened on the Snapcraft forums, the wallet immediately transferred his entire balance to an unknown address after a 12-word recovery phrase was entered (which Exodus tells you on support pages never to do). ↫ Kevin Purdy at Ars Tecnhica Cryptocurrency, or as I like to call it, MLMs for men, are a scammer’s goldmine. It’s a scam used to scam people. Add in a poorly maintained application store like Ubuntu’s Snap Store, and it’s dangerous mix of incompetence and scammers. I honestly thought Canonical already nominally checked the Snap Store – as one of its redeeming features, perhaps its only redeeming feature – but it turns out anyone could just upload whatever they wanted and have it appear in the store application on every Ubuntu installation. Excellent.

Canonical expands Long Term Support to 12 years starting with Ubuntu 14.04 LTS

Today, Canonical announced the general availability of Legacy Support, an Ubuntu Pro add-on that expands security and support coverage for Ubuntu LTS releases to 12 years. The add-on will be available for Ubuntu 14.04 LTS onwards.  Long term supported Ubuntu releases get five years of standard security maintenance on the main Ubuntu repository. Ubuntu Pro expands that commitment to 10 years on both the main and universe repositories, providing enterprises and end users alike access to a vast secure open source software library. The subscription also comes with a phone and ticket support tier. Ubuntu Pro paying customers can purchase an extra two years of security maintenance and support with the new Legacy Support add-on. ↫ Canonical blog Assuming all of this respects the open source licenses of the countless software packages that make up Ubuntu, this seems like a reasonable way to offer quite a long support lifecycle for those that really need it. Such support doesn’t come free, and it I think it’s entirely reasonable to try and get compensated for the work required in maintaining that level of support for 10 or 12 years. If you want this kind of longevity from your Linux installation without paying for it, you’ll have to maintain it yourself. Seems reasonable to me.

Frame pointers enabled by default in Ubuntu 24.04 LTS

In collaboration with Polar Signals we have committed that beginning with Ubuntu 24.04 LTS, our GNU Compiler Collection (GCC) package will enable frame pointers by default for 64-bit platforms. All packages in Ubuntu, with very few exceptions, will be rebuilt with frame pointers enabled, making them easier to profile and subsequently optimise. “I’ve enabled frame pointers at huge scale for Java and glibc and studied the CPU overhead for this change, which is typically less than 1% and usually so close to zero that it is hard to measure. Frame pointers allow more complete CPU profiling and off-CPU profiling. The performance wins that these can provide far outweigh the comparatively tiny loss in performance. Ubuntu enabling frame pointers by default will be a huge win for performance engineering and the default developer experience”. said Brendan Gregg, computer performance expert and Intel Fellow. ↫ Oliver Smith on the official Ubuntu blog So I guess the very minor performance regression is supposed to be compensated for by optimisations in individual packages that frame pointers will help realise.

Ubuntu Touch OTA-3 Focal released

A new update for Ubuntu Touch is here – adding Ubuntu 20.04 LTS support for new devices (the PinePhone, PinePhone Pro, PineTab and PineTab 2), and containing a whole slew of bug fixes and new features. It’s awesome to see the UBPorts team delivering a steady stream of updates, keeping the Ubuntu Touch platform alive and kicking.

Ubuntu Desktop 23.10 release image taken down due to “malicious translation incident”

In case you’re wondering why you can’t download the latest Ubuntu desktop version that was released earlier this week – it seems to have a bit of a rogue translation issue. A community contributor submitted offensive Ukrainian translations to a public, third party online service that we use to provide language support for the Ubuntu Desktop installer. Around three hours after the release of Ubuntu 23.10 this fact was brought to our attention and we immediately removed the affected images. After completing initial triage, we believe that the incident only impacts translations presented to a user during installation through the Live CD environment (not an upgrade). During installation the translations are resident in memory only and are not propagated to the disk. If you have upgraded to Ubuntu Desktop 23.10 from a previous release, then you are not affected by this issue. That’s the difference between volunteer translations nobody checks, and proper translations that go through an extensive review process. As a translator – pay for your translations, and shit like this does not happen. Period.

Ubuntu 23.10 released

Summarising Ubuntu 23.10 in just one word is tricky, but ‘refinement’ feels an apt choice. GNOME 45 brings a bevvy of buffs to the core desktop experience; improved window tiling; a sharper-looking web-browser; a pair of brand-new Flutter-based apps; and a colossal change to the amount of software preinstalled in new Ubuntu installations. Foundationally, Ubuntu 23.04 runs on Linux kernel 6.5, ships Mesa 23.2 graphics drivers (with in-distro access to proprietary NVIDIA drivers for those who need them), and updates the tooling, toolchains, and programming packages devs need. The distribution you won’t be using directly.

TPM-backed full disk encryption is coming to Ubuntu

Based on Ubuntu Core’s FDE design, we have been working on bringing TPM-backed full disk encryption to classic Ubuntu Desktop systems as well, starting with Ubuntu 23.10 (Mantic Minotaur) – where it will be available as an experimental feature. This means that passphrases will no longer be needed on supported platforms, and that the secret used to decrypt the encrypted data will be protected by a TPM and recovered automatically only by early boot software that is authorised to access the data. Besides its usability improvements, TPM-backed FDE also protects its users from “evil maid” attacks that can take advantage of the lack of a way to authenticate the boot software, namely initrd, to end users. I’m not well-versed enough on this topic to make any meaningful comments, other than as long as it’s a choice presented to users, it seems like a good thing.

I think Ubuntu 23.10 is making a mistake

The next version of the world’s most popular desktop Linux operating system (that’s Ubuntu, for those playing dumb) comes with fewer apps available out-of-the-box. Daily builds of Ubuntu 23.10 now ship with just a super-slim set of default software. These are designed to cover basic computing needs only. For anything else, the idea is that we, the user, fire up the Software Store (though the new one isn’t included in daily builds yet) and install what we want for ourselves. As an idea, it’s not without merit. But in practice, I think it’s a potential misstep. Basically, Ubuntu will no longer ship with LibreOffice, an email client, Shotwell, or a host of other applications and tools. While there’s certainly a market for slim distributions that install a lean and mean base installation for the user to expand into exactly the installation they desire, I doubt users opting for such an approach are interested in using Ubuntu, of all distributions (use Void. It’s the only Linux distribution with the official OSNews Seal of Approval™). In other words, this seems like an odd choice for a distribution aimed at relative newcomers to the Linux world. But then again, Fedora is a better choice for those people anyway.

Ubuntu 23.04 broke 32-bit app support (and no-one noticed)

Turns out that installing the Steam client from the Ubuntu repos on a new Ubuntu 23.04 install doesn’t work – and barely anyone noticed. Which is kind of surprising given the popularity of Steam, but also kind of not — and I’ll get to why in a second. So what’s the rub? This whole saga seems to illustrate that most Steam users on Linux install Steam from Valve itself, instead of using the packaged version. Interesting.

Ubuntu Desktop: charting a course for the future

It has been a little while since we shared our vision for Ubuntu Desktop, and explained how our current roadmap fits into our long term strategic thinking. Recently, we embarked on an internal exercise to consolidate and bring structure to our values and goals for how we plan to evolve the desktop experience over the next few years. This post is designed to share the output of those discussions and give insight into the direction we’re going. These values form the framework by which we determine our priorities and measure our progress, and hopefully inspire those that want to contribute to this experience to focus their energies in ways that are aligned with our longer term ambitions. I was hoping for more concrete ideas, plans, and ambitions from Canonical here, but this one is a bit of a nothingburger. There’s a lot happening in the desktop Linux world, especially around immutability, and I see nothing here about such long-term plans, or even relatively short-term meaningful desktop improvements.

Ubuntu Touch OTA-2 Focal Release released

UBPorts has released the second update for the Ubuntu Touch version based on Focal Fossa. In this new version, the System Settings application has been improved in various places, the physical camera button now works (on devices that have one, I presume), and a whole load of bugs have been fixed. Device support has also improved, with the F(x)tec Pro1 X, Fairphone 3, and Vollaphone X23 now being supported by the Focal releases.

Ubuntu 23.10’s new software app will demote DEBs

Ubuntu is a Debian-based Linux distribution but it’s increasingly positioning snaps as the preferred way to ‘get’ software. The aim is, eventually, to default to a full-snap experience on the desktop. With that plan in mind you won’t be mighty surprised (and if you are, welcome back to planet earth) to hear that showcasing DEB software will not be the primary aim of this new Ubuntu Software replacement. Ubuntu’s Director of Engineering says the new hub will be a “snap-first app store” designed around snap metadata. If the same piece of software exists in the Ubuntu repository and the snap store the new store will only make it possible to install the snap version. This is not a surprising move, but one that is sure to alienate at least some – including me. Not that I’d use Ubuntu any time soon anyway, but forcing Snaps down my throat certainly isn’t going to draw me back in.