I don't care they're gating this behind a subscription but the fact that they won't even tell you that you're missing an important security update? That's bad. I wonder how many people think they are fully up to date while being vulnerable to known bugs.
They do tell you that you are missing now. On ubuntu 24.04, apt now reports/nags me about security updates behind esm-apps.
They also publish an oval xml for use with openscap tools to get a list of unpatched CVEs. The issue is not enough people know about those tools.
https://security-metadata.canonical.com/oval/
Aha, thanks. I'm trying to look up the CVE on https://ubuntu.com/security/notices and the site's search responds with "504 Gateway Time-out" or "500: Server error". Come on Ubuntu.
They finally agreed to publish OSV data in addition to OVAL. OVAL XML files are terrible to use, and OSV is amazing in comparison, so this will get more tool adoption.
> I don't care they're gating this behind a subscription
I rather not have them push an ad to my face when I open the settings.
I had to install Ubuntu on an embedded board last week and the "Ubuntu Pro" ad is like a greyed out tab in the settings widget if I remember correctly. Worse than the Amazon ad they had some decade ago.
