ROS ESM: 15 things you need to know

With the End of Life of ROS Noetic, we have received many questions from people in the robotics community who are interested in learning about Robot Operating System Extended Security Maintenance (ROS ESM). This blog aims to answer those questions. For more information on this topic, please have a look at our webpage

If after reading this article you have some remaining questions, feel free to get in touch.

What is ROS ESM? 

Robot Operating System Extended Security Maintenance (ROS ESM) is a service by Canonical that provides security maintenance for ROS Long Term Support (LTS) releases and the underlying Ubuntu distributions beyond the 5 years of standard support, starting with ROS Kinetic. 
ROS ESM is available with an Ubuntu Pro subscription.

What is ESM?

Extended Security Maintenance (ESM) for Ubuntu underpins ROS ESM and provides extended Linux kernel and open-source security updates for the Ubuntu base OS. This includes key infrastructure components, like Python, OpenSSL, OpenVPN, network-manager, sed, curl, systemd, udev, bash, OpenSSH, login, libc, as well as open source applications and libraries, like Boost, Qt, OpenCV, PCL, python-(argcomplete, pybind11, png…), cython, Eigen, GTK, FFMPEG, and more. Many of these packages are commonly found in robotics applications.

What is included in ROS ESM?

ROS ESM includes:

• 10-year LTS release lifetime for ROS bringing the highest level of security and compliance.    
• Security patching for over 23,000 packages in ROS, Ubuntu Universe and Ubuntu Main.
• Better security KPIs, as critical CVEs patches are applied on average in less than 24h.

Plus access to all the tools, services, and features offered in Ubuntu Pro, like Landscape for device management or FIPS cryptography modules.

What’s included in the Ubuntu Pro subscription?

Depending on your subscription, you can access:  

• Ubuntu systems management with Landscape.
• Kernel Livepatch service to avoid reboots.
• Security certification (e.g. FIPS and CIS).
• Access to real-time kernel. 
• 24/7, open-source software support for the full stack.

To compare pricing and assess which subscription is right for you,  please visit Ubuntu Pro for devices. 

If you are new to Ubuntu Pro, this guide will assist you in activating your Ubuntu Pro subscription. 

Is ROS ESM for me? 

ROS ESM was designed for companies deploying commercial products and services based on ROS. Just like the rest of your software, ROS needs regular maintenance as projects scale. ROS ESM provides you with continuous maintenance of your ROS environment through security updates, CVE and critical bug fixes. It also includes more than 23,000 packages in Ubuntu Main and Universe. 

As such, ROS ESM helps companies comply with security regulations like the Cyber Resilience Act (CRA). Moreover, ROS ESM is compatible with amd64, arm64, and armhf architectures, ensuring broad support across various hardware platforms.

What ROS distributions are supported?

We support ROS 1 Kinetic, Melodic and Noetic, as well as ROS 2 Foxy. Newer ROS distributions will be supported. 

For a list of supported architectures with ESM please visit the web page.

What packages are covered in ROS ESM?

ROS ESM focuses on core ROS functionality. ROS ESM covers the REP-142 ‘ros_base’ for ROS 1 and its equivalent ‘ros_base’ for ROS 2. 

This includes packages such as python-catkin, python-rosdep, ros-${ROS_DISTRO}-ros-core…, ros-${ROS_DISTRO}-genmsg/rosbag…, per supported ROS distribution.

ROS ESM only applies to ROS on Ubuntu. 

What’s included in Ubuntu Universe and Ubuntu Main?

Ubuntu Main includes more than 2,300 packages that are maintained for free during the 5 years of the LTS’ standard support. These packages get security maintenance for an extra  5 years during the ESM period. This includes packages such as Python, OpenSSL, OpenVPN, network-manager, sed, curl, systemd, udev, bash, OpenSSH, login, libc… For the whole list of what’s included in Main, you can visit the Ubuntu Packages Search tool.

ROS ESM also gives you access to security maintenance for Ubuntu Universe. There are more than 28,000 debs that ROS developers use. This includes packages such as Boost, Qt, OpenCV, PCL, python-(argcomplete, OpenCV, pybind11, png…), cython, eigen, GTK, FFMPEG…  

For the whole list of what’s included in Main and Universe, you can visit the  Ubuntu Packages Search tool.  

This guide will help you pinpoint security updates for the Universe packages you are using.

How do I get ROS ESM?

ROS ESM is available with an Ubuntu Pro subscription and it’s free for personal use, or for our Ubuntu Core customers. 

For businesses, you can get a subscription by purchasing it on the Ubuntu Pro store. This is recommended for companies that need ESM for development environments.

For companies with larger fleets, we offer Ubuntu Pro for Devices. This option is recommended for companies with a volume of devices and looking for a one–time–fee per device. Ubuntu Pro for Devices uses a beneficial discount-based model compared to the store option. 

To get the Ubuntu Pro for Devices pricing, get in touch with a sales representative.

How do I consume ROS ESM updates?

You can either consume solely security-related updates, or, both security updates and bug fixes. This user introduction document has all you need to get started. In essence, you do not have to make changes to your current ROS workflow. ROS ESM sets up a new PPA for you to consume updates. This reduces downtime or resources needed to migrate to ROS ESM.

How long will ROS Noetic be maintained?

ROS Noetic and Ubuntu 20.04 LTS reached EOL in 2025. With ROS ESM, they will be supported for an additional 5 years until April 2030.

How long will ROS Kinetic be maintained?

ROS Kinetic and Ubuntu 16.04 LTS reached EOL in 2021. With ROS ESM, they will be supported for an additional 5 years until April 2026. 

We have released more than 1,400 CVE patches for our ESM customers since 16.04 and ROS Kinetic reached their end of support.

How long will ROS Melodic and ROS 2 Foxy be maintained?

ROS Melodic, ROS 2 Foxy and Ubuntu 18.04 LTS reached EOL in 2023. With ROS ESM, they will be supported for an additional 5 years until April 2028.

Do ROS ESM updates execute automatically on the device? 

ROS ESM follows the standard Ubuntu update process. ESM does not push updates to devices. Rather, subscribers pull them or explicitly enable automatic updates. With ROS ESM you can decide whether to consume security updates only, or both security updates and bugfixes. 

As a ROS ESM user, you also get access to Livepatch, Canonical’s service to apply critical kernel patches without rebooting.

What’s involved in ROS ESM vulnerability monitoring?

ROS ESM uses static analysis tools that run weekly and scan all the code included in ROS ESM for vulnerabilities. Common vulnerabilities and exposures (CVE) are triaged by Canonical’s Security team as soon as they are reported, and assigned a level of criticality, from Negligible to Critical. Learn more about this process with our documentation page. 

After applying a patch, any proof of concepts for the issue are run again to make sure it can no longer be reproduced. Then, the patched version is thoroughly tested once again to ensure functionality has not been affected and to ensure API/ABI stability whenever possible.

Summary

We hope this blog has answered some of your questions related to ROS ESM. If you still have questions, please review ROS ESM datasheet or get in touch if you need advice on the best path for your company.

Get ROS ESM