How does Ubuntu 16.04 entering Extended Security Maintenance (ESM) affect snap publishers?
by Igor Ljubuncic on 23 March 2021
At the end of April, Ubuntu 16.04 LTS will reach the end of its five years of mainstream support and enter the Extended Security Maintenance (ESM) phase. If you’re a snap developer, and you have built or based your snaps on Ubuntu 16.04 (Xenial) packages and libraries, you may want to know how this milestone affects you. This blog post outlines the details of the change, the implications, and the future roadmap.
Who is impacted and why?
As we’ve mentioned in another article last week, snapcraft was originally designed to work with Ubuntu 16.04 as its build-time base, and at runtime, a special snap called core would be used as a runtime base. Since, two new bases have been published – core18 and core20, which use the later LTS releases packages and libraries at runtime.
When you develop snaps, you can list the base you want to use in your snapcraft.yaml file using the base keyword, e.g.:
This means that snapcraft will query the Ubuntu 18.04 LTS archives for build and runtime packages that you specify in the build declaration. For instance, if you need the libpng library, snapcraft will use the version available in the 18.04 repositories when you specify core18 as your base, or the Focal repositories, if you use core20.
Some snaps, especially early on, have been built without an explicit declaration of a base or with base: core in snapcraft.yaml. These snaps will be impacted by the Ubuntu 16.04 ESM milestone.
What is ESM?
The Extended Security Maintenance (ESM) program extends Canonical’s LTS commitment of providing security updates to the Ubuntu base and several other critical components by a few more years.
Until April 2024, users with an Ubuntu Advantage (UA) subscription will continue to benefit from security updates for Ubuntu 16.04, including the snap publishers. Ubuntu Advantage subscriptions are available for free to individual developers and community members.
Ubuntu Advantage (UA) for community developers
To be able to continue building using the ESM base for local and on-premise builds, snap publishers and developers will need to obtain UA tokens. These tokens are free for all community users, for up to three machines, and up to 50 machines for Ubuntu members.
The functionality will then be reflected in the snapcraft usage in the following manner:
snapcraft <step> --ua-token <token>
The provisioning of the ESM packages will be done seamlessly in the background.
What is the timeline?
Day 1: Snaps will continue working
Most importantly, there will be no immediate impact to either developers or users right away. Snaps will continue working just as on the day they were built, and your users will be able to continue running them.
The question is, what happens once one of the packages becomes outdated, or a potential security vulnerability is discovered in one of the libraries or other components you have declared in your snapcraft.yaml file?
Launchpad and Snapcraft Build Service
In addition to running snapcraft locally or inside a CI system, snaps can also be built using Launchpad and Snapcraft Build Service. Both these services will continue working as before.
Launchpad will continue to build for the ESM base without restrictions. It will use the snapcraft 4.X track for these builds. Similarly, the remote build feature, which uses Launchpad, will continue working as before.
If you’re using Snapcraft Build Action, it will also have support for the use of UA tokens as an input in the actions.yml file. This should allow you to continue using the functionality. The exact date for the implementation of this feature will be communicated separately.
Snapcraft support for ESM base
If you’re building snaps locally or through your own CI/CD system, here’s what to expect from snapcraft:
- There will be two tracks of snapcraft available – legacy and mainstream. For the time being, the two tracks will be maintained in parallel, and will match versions and capabilities.
- The cores will be re-labeled accordingly: core will become ESM base, core18 and core20 will become LTS bases.
- Three months after Ubuntu 16.04 LTS enters ESM, the legacy track will be frozen to the latest snapcraft 4.X version available at that moment.
- The mainstream snapcraft version will be bumped to 5.X in the latest track.
- Snap developers and publishers will not be able to use the 5.X or any later version of snapcraft to build with the ESM base.
- Snap developers and publishers using the ESM base and running snapcraft’s latest track will be notified to migrate to track 4.X once Ubuntu 16.04 enters ESM.
- Snap developers and publishers should consider migrating to newer LTS bases.
What happens next?
In the coming weeks, we will publish several tutorials on how to migrate from the ESM base to newer ones. We will highlight some of the common questions or obstacles that you may encounter, and hopefully provide you with a seamless path in your snap journey.
The end of mainstream support for Ubuntu 16.04 LTS does not mean the end of support for your snaps. Quite the opposite. Snap developers as well as users will benefit from free extended support for their software. This should provide everyone with sufficient time to slowly adjust their workflows and migrate to newer bases, if possible. The separation of the application code from the underlying system, a fundamental principle of the snap architecture, offers continued flexibility and security to the snap community.
If you have any questions or concerns, please reach out. You can join our forum and let us know about any difficulties you may face in migrating to newer cores. This will help us make our solutions even more robust, and provide useful insight to other snap developers around the world.
Stay tuned for updates.