I've been waiting for this a long time. Debian finally make proprietary drivers and newer software available. I've been using neon for a while, but now I can switch to debian with almost no compromises.

No, I don't think that was what they meant. I don't think Ubuntu Pro security updates ever flow to universe. So back before they launched Ubuntu Pro:

• Universe is supported by "the community". Meaning that if some external (non-Canonical) volunteer provides a security update, Canonical will review and help that person to upload that update to universe. If nobody volunteers, well, the vulnerable package remains unpatched, possibly until the distro version goes EOL.

After Ubuntu Pro was launched, it works as follows:

• Universe is supported by "the community". Meaning that if some external (non-Canonical) volunteer provides a security update, Canonical will review and help that person to upload that update to universe. If nobody volunteers, well, the vulnerable package remains unpatched, possibly until the distro version goes EOL.
• Ubuntu Pro subscribers get access to another repository where Canonical provides security updates for (a subset of?) the packages in universe. These security updates are, AFAIU, never "released" to the universe repository.

Now, depending on whether you're a foaming-at-mouth Canonical fanboy with posters of Mark Shuttleworth in your bedroom, or you hate Ubuntu with the passion of a thousand suns (THERE CAN BE NO IN-BETWEEN POSITION!!!11), you can speculate what happens if a volunteer provides a security update for a universe package that is supported by Canonical and thus reduces the value of an Ubuntu Pro subscription.

going by their current pattern handling kernel updates, the Universe repo will probably receive the patch in normal timing, and in the Pro-Universe-subset repo the equivalent package might take a little while longer to get the canonical-authored patches replaced by the upstream changes, but this will eventually happen

not a problem since they're in separate repos

also canonical typically keeps the kernel in an older upstream base version but actually cherrypicks lots of patches from newer upstream versions and backports these along with their own work... note how they frequently adhere to an upstream kernel LTS version minus .1 and end package names with the package upstream version dash canonical subversion

Canonical is slowly learning the value of tracking upstream changes closer... very slowly... but doing all this doubled effort is still a big "thing" for them

So Canonical forks Debian Unstable, then decides to maintain only smaller part of it (~2300 packages) and the rest (23000+ packages) aren't supported without subscription or volunteer help.
Such practices doesn't sound convincing at all. Therefore now I can't rely on current and future Ubuntu LTS, new Snap-based desktop and even Ubuntu Pro.
When other distros (e.g. Debian, Fedora) have maintenance/manpower issues they just drop packages from their repos. Sometimes it's disappointing but at least fair to their users.
Also in such case volunteers can step-in and take maintenance (example: Fedora's LibreOffice RPM).

Upstream won't provide security patches for Canonical's frozen version/fork.

After I learned that security update for the jqueryui still didn't land after 278 days I can't share this optimism.

ok, this is indeed weird as f... Ubuntu 22.04 is the current LTS, not an EOL version...

...and the patch exists but only for the ESM version, so it is quite explicitly "available with Ubuntu Pro" but not for anyone else

is this even the Universe repo or a more core one?

​

and circling back to Debian... is the same thing fixed there?

Looking at oldstable (stable is a bit unfair as a new stable was just released) https://metadata.ftp-master.debian.o...11u1_changelog shows it was last updated in December 2021. Lol.

That might not automatically mean there is an open vulnerability in the Debian version of the package (it might not have been affected at all) but it sure is a nice big yellow flag to further look into

I do have my reservations towards Canonical and Ubuntu, but I've become more cautions about flaming them after reading what the Linux Mint devs had to say about Ubuntu while replying to users that criticized Ubuntu and asked them to rebase over Debian for their main flavours.

They do keep Linux Mint Debian Edition around as a proof-of-concept effort in case Ubuntu goes caput, but never really consider it worthwile to jump off the Ubuntu derivate distro bandwagon for their main flavours Cinnamon, Mate and XFCE.

Per https://security-tracker.debian.org/...CVE-2022-31160 it was never fixed in Debian bullseye (release 11, currently oldstable).