ESM for ROS: 15 things you need to know

With the End of Life of ROS Noetic, we have received many questions from people in the robotics community who are interested in learning about Extended Security Maintenance for Robot Operating System (ESM for ROS). This blog aims to answer those questions. For more information on this topic, please have a look at our webpage

If after reading this article you have some remaining questions, feel free to get in touch.

What is ESM for ROS? 

Extended Security Maintenance for Robot Operating System (ESM for ROS) is a service by Canonical that provides security maintenance for ROS Long Term Support (LTS) releases and the underlying Ubuntu distributions beyond the 5 years of standard support, starting with ROS Kinetic. 
ESM for ROS is available with an Ubuntu Pro subscription.

What is ESM?

Extended Security Maintenance (ESM) for Ubuntu underpins ESM for ROS and provides extended Linux kernel and open-source security updates for the Ubuntu base OS. This includes key infrastructure components, like Python, OpenSSL, OpenVPN, network-manager, sed, curl, systemd, udev, bash, OpenSSH, login, libc, as well as open source applications and libraries, like Boost, Qt, OpenCV, PCL, python-(argcomplete, pybind11, png…), cython, Eigen, GTK, FFMPEG, and more. Many of these packages are commonly found in robotics applications.

What is included in ESM for ROS?

ESM for ROS includes:

• 10-year LTS release lifetime for ROS bringing the highest level of security and compliance.    
• Security patching for over 23,000 packages in ROS, Ubuntu Universe and Ubuntu Main.
• Better security KPIs, as critical CVEs patches are applied on average in less than 24h.

Plus access to all the tools, services, and features offered in Ubuntu Pro, like Landscape for device management or FIPS cryptography modules.

What’s included in the Ubuntu Pro subscription?

Depending on your subscription, you can access:  

• Ubuntu systems management with Landscape.
• Kernel Livepatch service to avoid reboots.
• Security certification (e.g. FIPS and CIS).
• Access to real-time kernel. 
• 24/7, open-source software support for the full stack.

To compare pricing and assess which subscription is right for you,  please visit Ubuntu Pro for devices. 

If you are new to Ubuntu Pro, this guide will assist you in activating your Ubuntu Pro subscription. 

Is ESM for ROS for me? 

ESM for ROS was designed for companies deploying commercial products and services based on ROS. Just like the rest of your software, ROS needs regular maintenance as projects scale. ESM for ROS provides you with continuous maintenance of your ROS environment through security updates, CVE and critical bug fixes. It also includes more than 23,000 packages in Ubuntu Main and Universe. 

As such, ESM for ROS helps companies comply with security regulations like the Cyber Resilience Act (CRA). Moreover, ESM for ROS is compatible with amd64, arm64, and armhf architectures, ensuring broad support across various hardware platforms.

What ROS distributions are supported?

We support ROS 1 Kinetic, Melodic and Noetic, as well as ROS 2 Foxy. Newer ROS distributions will be supported. 

For a list of supported architectures with ESM please visit the web page.

What packages are covered in ESM for ROS?

ESM for ROS focuses on core ROS functionality. ESM covers the REP-142 ‘ros_base’ for ROS 1 and its equivalent ‘ros_base’ for ROS 2. 

This includes packages such as python-catkin, python-rosdep, ros-${ROS_DISTRO}-ros-core…, ros-${ROS_DISTRO}-genmsg/rosbag…, per supported ROS distribution.

ESM for ROS only applies to ROS on Ubuntu. 

What’s included in Ubuntu Universe and Ubuntu Main?

Ubuntu Main includes more than 2,300 packages that are maintained for free during the 5 years of the LTS’ standard support. These packages get security maintenance for an extra  5 years during the ESM period. This includes packages such as Python, OpenSSL, OpenVPN, network-manager, sed, curl, systemd, udev, bash, OpenSSH, login, libc… For the whole list of what’s included in Main, you can visit the Ubuntu Packages Search tool.

ESM for ROS also gives you access to security maintenance for Ubuntu Universe. There are more than 28,000 debs that ROS developers use. This includes packages such as Boost, Qt, OpenCV, PCL, python-(argcomplete, OpenCV, pybind11, png…), cython, eigen, GTK, FFMPEG…  

For the whole list of what’s included in Main and Universe, you can visit the  Ubuntu Packages Search tool.  

This guide will help you pinpoint security updates for the Universe packages you are using.

How do I get ESM for ROS?

ESM for ROS is available with an Ubuntu Pro subscription and it’s free for personal use, or for our Ubuntu Core customers. 

For businesses, you can get a subscription by purchasing it on the Ubuntu Pro store. This is recommended for companies that need ESM for development environments.

For companies with larger fleets, we offer Ubuntu Pro for Devices. This option is recommended for companies with a volume of devices and looking for a one–time–fee per device. Ubuntu Pro for Devices uses a beneficial discount-based model compared to the store option. 

To get the Ubuntu Pro for Devices pricing, get in touch with a sales representative.

How do I consume ESM for ROS updates?

You can either consume solely security-related updates, or, both security updates and bug fixes. This user introduction document has all you need to get started. In essence, you do not have to make changes to your current ROS workflow. ESM for ROS sets up a new PPA for you to consume updates. This reduces downtime or resources needed to migrate to ESM for ROS.

How long will ROS Noetic be maintained?

ROS Noetic and Ubuntu 20.04 LTS reached EOL in 2025. With ESM for ROS, they will be supported for an additional 5 years until April 2030.

How long will ROS Kinetic be maintained?

ROS Kinetic and Ubuntu 16.04 LTS reached EOL in 2021. With ESM for ROS, they will be supported for an additional 5 years until April 2026. 

We have released more than 1,400 CVE patches for our ESM customers since 16.04 and ROS Kinetic reached their end of support.

How long will ROS Melodic and ROS 2 Foxy be maintained?

ROS Melodic, ROS 2 Foxy and Ubuntu 18.04 LTS reached EOL in 2023. With ESM for ROS, they will be supported for an additional 5 years until April 2028.

Do ESM for ROS updates execute automatically on the device? 

ESM for ROS follows the standard Ubuntu update process. ESM does not push updates to devices. Rather, subscribers pull them or explicitly enable automatic updates. With ESM you can decide whether to consume security updates only, or both security updates and bugfixes. 

As a ESM user, you also get access to Livepatch, Canonical’s service to apply critical kernel patches without rebooting.

What’s involved in ESM for ROS vulnerability monitoring?

ESM for ROS uses static analysis tools that run weekly and scan all the code included in ESM for ROS for vulnerabilities. Common vulnerabilities and exposures (CVE) are triaged by Canonical’s Security team as soon as they are reported, and assigned a level of criticality, from Negligible to Critical. Learn more about this process with our documentation page. 

After applying a patch, any proof of concepts for the issue are run again to make sure it can no longer be reproduced. Then, the patched version is thoroughly tested once again to ensure functionality has not been affected and to ensure API/ABI stability whenever possible.

Summary

We hope this blog has answered some of your questions related to ESM for ROS. If you still have questions, please review ESM for ROS datasheet or get in touch if you need advice on the best path for your company.

Get ESM for ROS