Gabriel Aguiar Noury
on 26 April 2021
With the announcement of Robot Operating System (ROS) Expanded Security Maintenance (ESM), we have received many questions from people in the robotics community who are interested in learning about this enterprise solution. This blog aims to answer some of the most common questions. For more background on this, please have a look at the ROS ESM website.
If after reading this article you have some remaining questions, feel free to get in touch.
- What is ROS ESM?
- What is ESM?
- What is included in ROS ESM?
- What’s included in the Ubuntu Pro subscription?
- What is ROS enterprise support?
- Is ROS ESM for me?
- What ROS distributions are supported?
- What packages are covered in ROS ESM?
- What’s included in Ubuntu Universe and Ubuntu Main?
- How do I get ROS ESM?
- How do I consume ROS ESM updates?
- How long will ROS Kinetic be maintained?
- How long will ROS Melodic and ROS 2 Foxy be maintained?
- Do ROS ESM updates execute automatically on the device?
- What’s involved in ROS ESM vulnerability monitoring?
What is ROS ESM?
Robot Operating System Expanded Security Maintenance (ROS ESM) is a service by Canonical that provides security maintenance for ROS Long Term Support (LTS) releases and the underlying Ubuntu distributions beyond the 5 years of standard support, starting with ROS Kinetic.
ROS ESM is available with an Ubuntu Pro subscription.
What is ESM?
Extended Security Maintenance (ESM) for Ubuntu underpins ROS ESM and provides extended Linux kernel and open-source security updates for the Ubuntu base OS. This includes key infrastructure components, like Python, OpenSSL, OpenVPN, network-manager, sed, curl, systemd, udev, bash, OpenSSH, login, libc, as well as open source applications and libraries, like Boost, Qt, OpenCV, PCL, python-(argcomplete, OpenCV, pybind11, png…), cython, eigen, GTK, FFMPEG, and more.
Although not part of ROS, many of these applications are commonly bundled with robotics applications.
What is included in ROS ESM?
ROS ESM includes:
- 10-year LTS release lifetime for ROS bringing the highest level of security and compliance.
- Security patching for over 23,000 packages in ROS, Ubuntu Universe and Ubuntu Main.
- Better security KPIs, as critical CVEs patches are applied on average in less than 24h.
Plus access to all the tools, services, and features offered in Ubuntu Pro.
What’s included in the Ubuntu Pro subscription?
Depending on your subscription, you can access:
- Ubuntu systems management with Landscape.
- Kernel Livepatch service to avoid reboots.
- Security certification (e.g. FIPS and CIS).
- Real-time kernel.
- 24/7, open-source software support for the full stack.
To compare pricing and assess which subscription is right for you, please visit our shop.
What is ROS enterprise support?
ROS enterprise support is a part of ROS ESM. With ROS ESM, customers are provided with long-term support for their ROS and Ubuntu environment provided by Canonical and Open Robotics. Enterprises can now access a single point of contact to guarantee timely and high-quality fixes for ROS, ensuring they are not dependent on community maintainers. ROS ESM customers can also access support for other open-source software and infrastructure through their Ubuntu Pro subscription.
Is ROS ESM for me?
ROS ESM was designed for companies deploying commercial products and services based on ROS. Just like the rest of your software, ROS needs regular maintenance as projects scale. ROS ESM provides you with continuous maintenance of your ROS environment through security updates, CVE and critical bug fixes. It also includes more than 23,000 packages in Ubuntu Main and Universe.
As such, ROS ESM helps companies comply with security regulations.
What ROS distributions are supported?
We support ROS 1 Kinetic and Melodic, and ROS 2 Foxy. Newer ROS distributions will be supported.
For a list of supported architectures with ESM please visit the web page.
What packages are covered in ROS ESM?
ROS ESM focuses on core ROS functionality. ROS ESM covers the REP-142 ‘ros_base’ for ROS 1 and its equivalent ‘ros core’ for ROS 2.
This includes packages such as python-catkin, python-rosdep, ros-${ROS_DISTRO}-ros-core…, ros-${ROS_DISTRO}-genmsg/rosbag…, per supported ROS distribution.
ROS ESM only applies to ROS on Ubuntu.
What’s included in Ubuntu Universe and Ubuntu Main?
Ubuntu Main includes more than 2,300 packages that are maintained for free during the 5 years of the LTS’ standard support. These packages get security maintenance for an extra 5 years during the ESM period. This includes packages such as Python, OpenSSL, OpenVPN, network-manager, sed, curl, systemd, udev, bash, OpenSSH, login, libc… For the whole list of what’s included in Main, you can visit the Ubuntu Packages Search tool.
ROS ESM also gives you access to security maintenance for Ubuntu Universe. There are more than 23,000 debs that ROS developers use, but are not part of Ubuntu Main, and therefore not supported in the LTS window. This includes packages such as Boost, Qt, OpenCV, PCL, python-(argcomplete, OpenCV, pybind11, png…), cython, eigen, GTK, FFMPEG…
For the whole list of what’s included in Main and Universe, you can visit the Ubuntu Packages Search tool.
How do I get ROS ESM?
As we mentioned above, ROS ESM is available with an Ubuntu Pro subscription. You can get the subscription by purchasing it on the Ubuntu Pro store. This is recommended for companies that need ESM for a few units.
For companies with larger fleets, we offer the Embedding Programme. This option is recommended for companies with a large volume of devices, and those looking to easily add support to estates that grow over time. The Embedding Programme uses a beneficial discount-based model compared to the previous option.
To join the Embedding Programme you need to get in touch with a sales representative.
How do I consume ROS ESM updates?
You can consume only security-related updates, or both security updates and bug fixes. This user introduction document has all you need to get started. In essence, you do not have to make changes to your current ROS application. ROS ESM simply enables a new PPA for you to consume updates. This reduces downtime or resources needed to migrate to ROS ESM.
How long will ROS Kinetic be maintained?
ROS Kinetic and Ubuntu 16.04 LTS reached EOL in 2021. With ROS ESM, they will be supported for an additional 5 years until April 2026.
We have released more than 1,400 CVE patches for our ESM customers since 16.04 and ROS Kinetic reached their end of support.
How long will ROS Melodic and ROS 2 Foxy be maintained?
With ROS ESM, ROS Melodic and ROS 2 Foxy will be supported for five more years until April 2028.
Do ROS ESM updates execute automatically on the device?
ROS ESM follows the standard Ubuntu update process. ESM does not push updates to devices. Rather, subscribers pull them or explicitly enable automatic updates. With ROS ESM you can decide whether to consume security updates only or both security updates and bug fixes.
As a Ubuntu Pro user, you also get access to Livepatch, Canonical’s service to apply critical kernel patches without rebooting.
What’s involved in ROS ESM vulnerability monitoring?
ROS ESM uses static analysis tools that run daily and scan all the code included in ROS ESM for vulnerabilities. Common vulnerabilities and exposures (CVE) are triaged by Canonical’s Security team as soon as they are reported, and assigned a level of criticality, from Negligible to Critical. This is the same infrastructure used for Ubuntu, now available for ROS.
After applying a patch, any proof of concepts for the issue are run again to make sure it can no longer be reproduced. Then, the patched version is thoroughly tested once again to ensure functionality has not been affected, and to guarantee API/ABI stability.
Summary
We hope this blog has answered some of your questions related to ROS ESM. If you still have questions, please review ROS ESM datasheet or get in touch if you need advice on the best path for your company.