Snapcraft and Extended Security Maintenance
The former default base snap when building snaps with Snapcraft was
core, which uses Ubuntu 16.04 LTS as its build and runtime environment. This has since been superseded by
core20, based on Ubuntu 18.04 LTS and Ubuntu 20.04 LTS respectively, which are now the default and recommended build and runtime environments for new snaps.
However, there are still some snaps built using Ubuntu 16.04 LTS, either explicitly by including
core in their snapcraft.yaml, or implicitly by not defining any base at all.
To remain secure and supported, these snaps will need to either:
- migrate the snap to a later supported base
- use the Extended Security Maintenance (ESM) programme
See Migrating between bases for help switching to a newer base, and see below for details on Snapcraft changes and using ESM when building core-based snaps.
- Changes to Snapcraft
- Extended Security Maintenance
- Using the Ubuntu Advantage token
- Remote build and Snapcraft build service
- Github Actions
Changes to Snapcraft
16.04-based snaps will continue to work
There will be no immediate impact to either Snapcraft developers or snap users. Snaps will continue to work and your users will be able to continue running them. ESM only becomes relevant as packages need to be updated and patched.
If you’re building snaps locally or through your own CI/CD system:
- Snapcraft now has two tracks:
Both tracks will be maintained in parallel until the release of Snapcraft 5, after which
4.xwill be maintained for ESM compatibility.
- cores will be relabelled:
corebecomes ESM base
core20become LTS bases.
- Snap developers and publishers using the ESM base will not be able to use Snapcraft 5 or later. A notification will inform developers to use the
Extended Security Maintenance
The Extended Security Maintenance (ESM) programme extends Canonical’s LTS commitment of providing security updates to the Ubuntu base, and several other critical components, by a few more years. With ESM, Ubuntu 16.04 LTS gains three extra years of security updates, shifting its end of life date to April 2024.
Until April 2024, users with an Ubuntu Advantage (UA) subscription will continue to benefit from security updates for Ubuntu 16.04 LTS, and this includes snap publishers.
Ubuntu Advantage subscriptions are available for free to individual developers and community members.
To continue using an ESM base with local and on-premise builds, snap publishers and developers will need to obtain UA tokens. These tokens are free for all community users, for up to three machines, and up to 50 machines for Ubuntu members.
Visit ubuntu.com/advantage to create an account, or login, and retrieve a token. The token itself can be accessed by expanding the Machines drop-down button for the UA subscription you wish to use and copying its value, shown as
Using the Ubuntu Advantage token
snapcraft --ua-token <ua-token>
The build environment needs the
ua command installed, provided by the
ubuntu-advantage-tools package, and this package is automatically installed by snapcraft.
When the snapcraft command is run, the provisioning of the ESM packages will be done seamlessly in the background.
Example output when specifying the UA token
Launching a container. Waiting for container to be ready Waiting for network to be ready... Attaching specified UA token... Enabling default service esm-apps Updating package lists UA Apps: ESM enabled Enabling default service esm-infra Updating package lists UA Infra: ESM enabled This machine is now attached to 'UA Applications - Essential (Virtual)' SERVICE ENTITLED STATUS DESCRIPTION esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM) esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM) fips yes n/a NIST-certified FIPS modules fips-updates yes n/a Uncertified security updates to FIPS modules livepatch yes n/a Canonical Livepatch service NOTICES Operation in progress: ua attach Enable services with: ua enable <service> Account: Subscription: UA Applications - Essential (Virtual) Valid until: 3999-12-31 00:00:00 Technical support level: essential [...] Detaching specified UA token...
Remote and Snapcraft build services
In addition to running snapcraft locally, or inside a CI system, snaps can also be built using remote build on Launchpad and our Snapcraft Build Service. Both of these services will continue working as before.
Launchpad will continue to build for the ESM base without restrictions. It will use the Snapcraft 4.x track for these builds. Similarly, the remote build feature will continue working as before.
Last updated 5 months ago.