0

Canonical, the publishers of Ubuntu, create their own set of security patches for packages in Ububtu's "universe" repository of community-maintained software. They make these patches available only to their paying Ubuntu Pro customers (who, under open source licenses, may choose to pass them on), and only later provide them directly to the upstream project or to other users of software from universe.

Would using software for which security patches exist but are not available to you (or where you have declined to purchase them) violate any particular security standards or auditing guidelines?

Improve this question
7
  • 1
    Aren't you basically ask if knowingly using vulnerable software could be a compliance violation for some kind of compliance requirements? Phrased this way the answer should be a clear yes. Commented Apr 23 at 16:20
  • You appear to under the impression that all patches should be free, and if they are not, then auditors should overlook the known vulnerability that you elect to keep exposed in your software... Commented Apr 23 at 18:55
  • It's called Vulnerability Compliance. qualysec.com/vulnerability-compliance Commented Apr 23 at 20:00
  • @schroeder It's less of an impression and more of an opinion. If you let just anyone start charging all users of critical software for their patches, enforced by auditors who will shut you down if you don't pay and IP lawyers who stop the price from catering after the first sale, you'll end up with ransomware-style extortion with extra steps. You break down such a regime with free, or at least trivially cheap and generally available, patches. Commented Apr 28 at 13:48
  • ... but Ubuntu is writing patches for other people's products and your opinion is that these should be free? How do you imagine one maintains the ability to do this work without paying people to do it? Commented Apr 28 at 14:26

1 Answer 1

Reset to default
2

Yes, this would be against most standards standards and recommendations, because you are running software versions that have known vulnerabilities. If you have other mitigations for those vulnerabilities in place then you can use that as justification for why you're not installing the patches, but then the commercial aspect isn't really relevant.

In some circumstances you might be able to try argue it with an auditor, if the requirement of the standard is phrased is to installed "all available security patches" on the basis that the patches aren't available to you...but it's a pretty weak argument and not one that I'd personally want to have, and would depend on the exact wording of whichever standard you're trying to comply with.

The place where you'd be in a better position to argue is if you're choosing not to pay for additional security features or improvements that aren't available for free, and that would be a much more defensible position. But that's a very different thing from patches addressing existing vulnerabilities.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.