Trying to understand the function/purpose/effectiveness of LTS

Robert Heller heller at deepsoft.com
Sun Apr 26 23:00:25 UTC 2020 

At Sun, 26 Apr 2020 21:18:09 +0100 "Ubuntu user technical support,  not for general discussions" <ubuntu-users at lists.ubuntu.com> wrote:

> 
> Good evening everyone, hope you all are well.
> 
> disclaimer: I am not a Linux expert or have too much experience with it. 
> The last time I had to deal with Linux was back in the 90s using 
> slackware, redhat and suse (Slackware being the favourite at that time). 
> But I am well versed with various *nix systems and quite comfortable 
> doing my research and finding my ways around. Please note, that is why I 
> came to the list to ask for help in understanding something.
> 
> I am trying to understand the function/purpose of the LTS branch. From 
> what I can gather (and please feel free to correct me if I am mistaken), 
> the LTS stands for Long Term Support, and each LTS is supported for 
> subsequent 5 years. This support includes fixing hardware issue for at 
> least 2 years, and any security/functionality support for at least 5 
> years. This is counted from the time of the initial release.
> 
> This understanding comes, among many others, primarily from 
> https://wiki.ubuntu.com/LTS
> 
> I am slightly confused, and hoping someone might help me understand, 
> what I am experiencing now.
> 
> I have been tasked with looking after a few Ubuntu LTS (16) servers. We 
> use Nessus for security scanning/testing, and all these servers are 
> complaining about OpenSSL 1.0.x and TLSv1 and TLSv1.1. However, as I try 
> to run update and upgrade -- there does not appear to be any update for 
> OpenSSL or any of the relevant packages (Apache, Nginx, OpenSSH). The 
> best I could find through google search is manual injection of OpenSSL, 
> which has the potential to break anything and everything that may rely 
> on the older version of the libraries. Also, if I have to do manual 
> injection, that forfeits the purpose of having a LTS (in my opinion).
> 
> So, I am slightly confused. If I read and understood the LTS definition 
> correctly, then there should have been (at least) security patches up 
> till 2021 (for these servers). I am not trying to be at the bleeding 
> edge, but any and all software that can be picked up by security 
> scanners are expected to be patched (OpenSSH, web servers, etc.). 
> Somehow, these servers are NOT picking up any update relevant to these. 
> And from what I can tell, they have not been tampered with (to my 
> understanding), so it is not a configuration issue.
> 
> I am genuinely trying to understand, what is the benefit having LTS if 
> none of the security issues are taken care of.
> 
> Would appreciate if someone could please help me understand.

The way LTS releases / distros work is this:

When the LTS release or distro is released, the versions of all software* is 
"fixed" and won't change for the life of the LTS release.  Specificly, this 
means that the *APIs* of all of the software won't change.

As for security and bug fix updates, these are "backported" to the version 
that was fixed with the LTS release.  There is a distro/release specific 
versioning for these security and bug fix updates.

The reason for this is to insure that there are no "suprises" caused by API 
changes due to version updates.  A LTS releases are not only supported for a 
long time, but also are API stable as well.

(*Some software, partitularly some application programs, like Firefox, might 
get new versions.)


> 
> Kind regards
> 
> 

-- 
Robert Heller             -- 978-544-6933 Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller at deepsoft.com       -- Webhosting Services

More information about the ubuntu-users mailing list