Announcement

**ALRBP** · 21 September 2021, 08:22 AM

I am not sure that very long support (>6 years) is really a good idea. Most software aren't supported for that long, and Canonical can't do all the work themselves to maintain all their packages. They can't either update to newer versions, since they have modern dependencies. That means that these LTS will end up with numerous unmaintained software that may have security issues. Also, keeping very old software running can cause compatibility issues with newer systems. Having long term support to prevent too frequent updates is good, but there is a limit. Customers should update their software rather than relying on extended support.

**vsteel** · 21 September 2021, 08:38 AM

This is for industrial manufacturing machines, places where they are on the network so they need security but they are not updating anything unless they have to. Yes a lot of the packages will be old but they don't care, they need the machine to just run. This is not for general users who are playing games and surfing the web unless they are the "I don't want anything to change on my computer, ever." people. You could try and help them but they will just yell at you to get off of their lawn.

**evasb** · 21 September 2021, 08:42 AM

In many industrial situations, ppl still use Windows XP/2000/NT. I think that is reasonable to believe we have many old Debians/Ubuntus/RHs in the wild that are in the same situation: it just works, and the computers doesn't need to be connected to the internet. Why would you upgrade them?

**spirit** · 21 September 2021, 08:48 AM

Originally posted by evasb View Post

Why would you upgrade them?

yes, why ?

Renault shut down several French factories after cyberattack

https://www.theverge.com/2017/5/14/15637472/renault-nissan-shut-down-french-uk-factories-wannacry-cyberattack

The attack also affected one of Nissan’s UK factories

**dh04000** · 21 September 2021, 08:57 AM

spirit
That example is for machines that were internet facing, yet the person you quoted was making the point that old machines could simply not be connected to the web.

Either you didn't read or you didn't understand.

**skeevy420** · 21 September 2021, 08:59 AM

Originally posted by spirit View Post

yes, why ?

https://www.theverge.com/2017/5/14/1...ry-cyberattack

Those were connected to the internet and were the target of state sponsored hacking...North Korea in that case... Both staying as up to date as possible and keeping off the internet unless necessary are rather moot when state-level agencies are after your data.

Random hackers and viruses? Sure.
Hacker Agencies operating out of America, Russia, China, North Korea, Germany?

This is for mostly off-line systems and, like any other OS, is still gonna be vulnerable to the NSA or North Korea (especially if they have boots on the ground).

**spirit** · 21 September 2021, 09:30 AM

Originally posted by dh04000 View Post

spirit
That example is for machines that were internet facing, yet the person you quoted was making the point that old machines could simply not be connected to the web.

Either you didn't read or you didn't understand.

I mean, It's ok for machines without any network connection (no local network connection, not only internet), or even usb port (hello stuxnet)
I don't known if they are this kind of machines in industry without any local network remote monitoring for example.

**debrouxl** · 21 September 2021, 10:33 AM

Agreed with ALRBP. Even a period of 5 years of so-called LTS is BS for the vast majority of projects out there (for simple resource reasons), so this is a step in the wrong direction... It can only give an illusion of security to technically illiterate management, marketing and financial types, and that's dangerous. For most use cases, if security were actually a priority, a much higher rate of change would be embraced.

**calc** · 21 September 2021, 10:34 AM

Originally posted by ALRBP View Post

I am not sure that very long support (>6 years) is really a good idea. Most software aren't supported for that long, and Canonical can't do all the work themselves to maintain all their packages. They can't either update to newer versions, since they have modern dependencies. That means that these LTS will end up with numerous unmaintained software that may have security issues.

Red Hat and Suse both already do this without a problem and they backport fixes instead of rebasing to newer versions. So Canonical is at a competitive disadvantage if they don't.

Red Hat Enterprise Linux Life Cycle - Red Hat Customer Portal

https://access.redhat.com/support/policy/updates/errata

Access Red Hat’s knowledge, guidance, and support through your subscription.

Product Support Lifecycle | SUSE

https://www.suse.com/lifecycle/

SUSE product support lifecycle has guidelines for the...