About ESM, esm-apps and esm-infra#
Expanded Security Maintenance (ESM)#
In the earlier version of Ubuntu Pro, when security fixes were only guaranteed
for packages in the ‘main’ repository, ESM used to be known as Extended
Security Maintenance. At that time, it referred to the additional five years
of security coverage that Pro provided after the standard five years’ of
security coverage expired. It extended the security coverage to ten years.
This has since become known as
esm-infra (more on that below!).
Since then, Pro has grown considerably in the size and scope of what it provides. Where we originally only guaranteed security maintenance for packages in the ‘main’ repository, we have now expanded the scope of our security fixes to also include packages in the ‘universe’ repository. So, when Pro went into General Availability in early 2023 and became available to all, ESM became Expanded Security Maintenance to reflect the expanded scope of our coverage.
What are ‘main’ and ‘universe’?#
There are tens of thousands of Ubuntu packages, all organised into sets in repositories.
‘Main’ is the set of packages we identified as our focus when we launched Ubuntu - they are packages that are either installed on every machine, or very widely used for all kinds of deployments, from desktop to cloud. When we launched Ubuntu LTS, we made a commitment to security-support these packages and their dependencies in ‘main’ for five years, free of charge. There were initially about 1,000 packages in ‘main’, and today that number has grown to about 2,300 per Ubuntu release.
The ‘universe’ repository holds all of the other open source packages in Ubuntu; from Debian and the Ubuntu community. ‘Universe’ is a much bigger repository, with over 23,000 packages per release. Historically those packages came with no security maintenance commitment from Canonical. Nevertheless, Canonical and the Ubuntu community provided best-effort maintenance for those packages. With the launch of Ubuntu Pro, all of the packages of Ubuntu ‘universe’ get the same security maintenance commitment from Canonical as packages in Ubuntu ‘main’.
There are two streams of broad-based security updates for packages; we label these ‘apps’ (for applications) and ‘infra’ (for infrastructure).
esm-apps stream covers all ‘universe’ packages for ten years from the
release of the LTS.
esm-infra stream covers ‘main’ packages for the period after the
standard five year security maintenance of ‘main’ packages ends. We call this
‘infra’ because it is commonly used to build our private cloud, storage and
Kubernetes clusters, where ‘universe’ packages are not typically deployed.
Commercial and enterprise customers can get a lower-cost Ubuntu Pro (infra-only) subscription only the ‘infra’ components are needed, which equates to our original ESM offering.
How can I enable
You can manage
pro on the command line. To
find out how, read our guide on
enabling and disabling these services
on your machine.
esm-apps packages preferred over regular updates?#
Yes. The Pro Client will deliver the following configuration files to apt to
esm updates are preferred when running
These files are pinning the packages coming from
esm to give them a higher
priority than the standard defined in apt. This means that the version to be
installed by apt (in
upgrade) or by unattended-upgrades will
always be the highest
esm version available for a given package, even if a
higher version is present on a non-esm source.
This behaviour guarantees that if you have
your system will always have the
esm patches installed for any package
available in the ESM repositories.
Although the preference files listed above will always be delivered by the package, they will only take effect when the packages from the sources they reference are available, i.e. when the services are enabled. Otherwise, it is safe to keep those files around.
Check the APT Configuration article in the Debian Wiki to learn more about pinning and priorities.