Is it safe to use Ubuntu desktop when it is in ESM stage?

Question

Question in short

What are the real life (security) risks of using Ubuntu ESM for personal use (Ubuntu for desktop) and what to look out for in general to keep the system secure? Do I need to do anything special and are there any pitfalls if I want to continue using this version?

More details

I still use Xenial Xerus on my home computer and since it reached its end of life I am using it in ESM mode. For reasons out of scope of this question I would also like to use this specific version until it reaches its final EOL in 2026. I use my home computer for tasks like: browsing, spreadsheet and text editing, dropboxing, ssh-ing, general command line stuff and occasional TeamViewer)

I researched this topic but after quite some time I am still unsure what to read, and how to proceed. I understand that Universe and Multiverse repositories are not maintained anymore when a version reaches this state. But I probably have a bunch of extra programs installed which are coming from these repositories.

On one hand, it seems that security-wise I am good (additional five years of security and stuff), on the other hand I have a strong feeling that I am at serious risk. Probably I have a bunch of preinstalled programs that I don't even know of and they are a risk.

So I am looking for some hints how to basically security audit my system, but I am no system administrator just a regular power user let's say. Should I for example browse through all the packages installed from these repositories and maybe disable/remove them, or install and get updates from PPAs that are maintained? Or this is the job they do at Canonical and it is called 18.04 and 20.04? :-)

Examples

Firefox: I didn't have to go very far: my current Firefox version is 88: firefox/xenial-updates,xenial-security,now 88.0+build2-0ubuntu0.16.04.1 amd64 [installed] - This version of Firefox is released almost a year ago, and the current latest release is 97. I am pretty sure there was at least one security issue in Firefox in a year but apologies to Mozilla if I am wrong.
SMplayer: According to this site: https://launchpad.net/~rvm/+archive/ubuntu/smplayer they even released a version for 12.04 in 2021, so I can assume a 10 year support can be expected from them for Xenial too. I am currenlty on the latest version.
Python 2: Python 2.7.18 was the last Python release of the 2.x branch. apt-list says: python2.7/xenial-updates,xenial-security,now 2.7.12-1ubuntu0~16.04.18 amd64 [installed] - Does ESM mean that if there is a security issue in Python, Canonical fixes it? I would be surprised.
Unity: There were no commits in its repository since 2017.

These are just random examples on the top of my head but probably the rabbit hole goes way deeper.

A final thought

Re-reading my post with the examples section I probably answered my own question but I would like to hear other opinions too. Is there a way to use an Ubuntu desktop version for 10 years for real?

Thanks in advance!

You could keep your old versions (and your old browser) but you also will miss security updates. You could make your own "retro" version and compile the fixes on your own... You won't get any help from this forum though: click — kanehekili, Feb 20 '22 at 20:42
Did you read the ESM support notes; you mention firefox which was one of the desktop apps that only receive support via snap package versions (as they are the same for all releases). The deb package is not supported into ESM which was clearly stated. — guiverc, Feb 20 '22 at 21:18
In the simplest terms possible, ESM gives more time to upgrade to a newer release giving access to critical updates. This is most relevant for organizations who use Ubuntu for mission critical services. Even for those users it's recommended for all users to upgrade to a supported release as a priority. So your plan to ride ESM until the very end- that's not the purpose of ESM. As a general purpose desktop user, as you've described your use case, ESM isn't really appropriate for your use case. See: https://ubuntu.com/blog/ubuntu-16-04-lts-transitions-to-extended-security-maintenance-esm — Nmath, Feb 20 '22 at 21:18
The risks are that you may lose all your data (oops), that you may the the victim of a computer-based crime (extortion, theft), or that you may become an unwitting accomplice (botnet). However, those are ALWAYS the risks. If you have the skills to manage and mitigate those risks yourself, then ESM can likely be safely used...but the phrasing of the question suggests that you may not be ready for that burden. — user535733, Feb 20 '22 at 23:30
For example, transitioning from 16.04 to a future 26.04 might simply be too large of a gap for some of your data (oops). We don't know that -- we have not tested it. Nobody has tested it. You will be the tester, trying it without support. — user535733, Feb 20 '22 at 23:49
Thanks for the information, I missed the info about Firefox, installed SMplayer from rvm's ppa instead of Universe, but never cared about Python so much.
These were just random examples though, what I am looking for is a general way to handle the situation.

So far here are the results:

Carefully read the ESM release notes and documentation

Using Snaps might help

ESM's purpose is not to use a desktop Ubuntu until it ends, but to have a safety net just in case. — tnagy.adam, Feb 21 '22 at 09:18

guiverc · Answer 1 · 2022-02-20T21:36:28.857

Did you read the ESM support notes; you mention firefox which was one of the desktop apps that only receive support via snap package versions (as they are the same for all releases). The deb package is not supported into ESM which was clearly stated.

https://wiki.ubuntu.com/SecurityTeam/ESM/16.04

You also mention smplayer which is a universe package and ended mainstream support in 2019 (3 years only guaranteed for LTS 'universe' packages if supported by a flavor team, 5 applies to packages included on your Ubuntu Ubuntu Desktop, Ubuntu Server, Ubuntu Cloud, Ubuntu Base & packages found on the ISO), so expecting it to suddenly get ESM support when it's actual support had ended two years prior to me makes no sense.

I suggest you read the release notes more, announcements, blogs about the product, and wiki pages on support so you know what's covered.

Much of Ubuntu Desktop ESM support is via snap packages which many blogs alluded to, whilst 16.04 was still within its five years, but soon to shift to ESM.

I personally have little interest in it; however as I'm part of the Ubuntu News team I tend to read most announcements, thus recall bits even if all we did was list the blog in the Weekly Newsletter.

Also note: All releases have their quirks; Canonical had guaranteed support for Ubuntu Kylin for 5 years in the likely hope of getting more Chinese users, so packages used by that flavor in 'universe' got Canonical backing for 5 years for security fixes (it wasn't many as they mostly used 'main' packages anyway).

I don't know anything about python2 so cannot cover it (I do remember it mentioned 3-4 if not more times but I don't care about it so had no reason to remember anything about it). Unity 7 I don't remember reading anything specific about; the mostly talked about Ubuntu Desktop and mentioned Unity 7 only in passing (or clarification given it was 16.04) but I recall nothing specific sorry. I have no intention of looking for the blogs I recall reading; about half make it to the Ubuntu Weekly Newsletter.. We read to assess if we feel they're 'news' quality (to be included)... — guiverc, Feb 20 '22 at 21:26
FYI: I'm aware of one universe package that was amended for 16.04 or xenial after 2019-April EOL was announced for flavors.. The work on it had started just before the 3 years was up, and it came to my attention when the dev (at that time who wasn't a MOTU or Master of the Universe but has since become one) couldn't SRU (stable release update) into -proposed or -updates and went seeking a MOTU to sponsor the upload. Updates can occur for 'universe' after the 3 years, and there could be more, but they are extremely rare. — guiverc, Feb 21 '22 at 02:06

Is it safe to use Ubuntu desktop when it is in ESM stage?

1 Answers1