With the announcement of Robot Operating System (ROS) Extended Security Maintenance (ESM), we have received many questions from our robotics community interested in knowing more about this enterprise solution. Some of these questions are related to ROS Kinetic End-of-life, others explore how ROS ESM enables security compliance and our enterprise support for ROS. This blog aims to answer some of the most common questions. For more background, please have a look at What is ROS ESM?.
If after reading this article you still have some more questions, feel free to get in touch.
What is ESM?
Extended Security Maintenance (ESM) for Ubuntu underpins ROS ESM and provides extended Linux kernel and open source security updates for the Ubuntu base OS. This includes key infrastructure components, like Ceph, OpenStack and Kubernetes, as well as open source applications, like Python 2, OpenCV3, PostgreSQL, NGINX, and more. Although not part of ROS, many of these applications are commonly bundled with robotics applications.
What is ROS ESM?
ROS ESM builds on top of Ubuntu ESM by giving you a hardened and long-term supported ROS system.
ROS ESM is part of Ubuntu Advantage, Canonical’s service package for Ubuntu. This package includes 10 years of critical security updates and fixes for CVEs in addition to support.
What is included in ROS ESM?
ROS ESM includes:
- Backported security updates for ROS, the Ubuntu base OS and scale-out infrastructure.
- CVE (Common Vulnerabilities and Exposures) fixes for ROS and other important dependencies (e.g. Python2, OpenCV3), and the Ubuntu base OS.
- Curated ROS packages that don’t break API/ABI
- ROS enterprise support
What is ROS enterprise support?
ROS enterprise support is a part of ROS ESM. With ROS ESM, customers are provided with long-term support for their ROS and Ubuntu environment provided by Canonical and Open Robotics. Enterprises can now access a single point of contact to guarantee timely and high quality fixes for ROS, ensuring they are not dependent on community maintainers.
ROS ESM customers can also access support to other open source software and infrastructure through their subscription to Ubuntu Advantage.
Is ROS ESM for me?
ROS ESM was designed for companies deploying commercial products and services based on ROS. Just like the rest of your software, ROS needs regular maintenance as projects scale. ROS ESM provides you with continuous maintenance of your ROS environment through security updates, CVE and critical bug fixes.
Whether your ROS distribution is reaching its end of life, or you are not receiving the tailored security updates and fixes your system or customer requires, ROS ESM is here to make your work easier.
How do I get ROS ESM?
If you want to learn more about ROS ESM or if you want to get ROS ESM, please get in touch.
Does it offer maintenance only for EOL distributions of ROS?
No. ROS ESM also covers non-EOL, LTS releases for ROS and Ubuntu. For LTS releases, this will include support and security updates for other packages important to ROS (e.g. Python2, OpenCV3), plus curated packages that don’t break API/ABI.
What ROS distributions are supported?
We support ROS 1 Kinetic, Melodic, Noetic and ROS 2 Foxy. Newer ROS 2 distributions can and will be supported.
The scope of ROS ESM starts with covering the REP-142 ‘ros_base’ and grows towards ‘desktop’. We’re following a process similar to the Ubuntu Main Inclusion Process to make sure that what we provide can be officially maintained, supported and secured.
ROS ESM only applies to ROS on Ubuntu.
Is ROS ESM a fork?
ROS ESM is a fork focused on security and stability. This fork does not have new features and diverges from upstream only to meet our customer’s security and stability requirements. Our goal is to keep your deployed robot secure for up to a decade with security updates, CVE patches and bug fixes.
Will ROS fixes be contributed upstream as well?
Fixes applied to ROS ESM are also proposed upstream for non-EOL distros. As a matter of fact, we have already contributed dozens of fixes to Kinetic.
Does ROS ESM help with security compliance?
With ROS deployed as part of so many commercial products and services, it’s clear the need for extending the security and support for ROS robots. ROS ESM enables compliance with software maintenance requirements for typical cybersecurity frameworks.
Considering CIS Controls v7.1, ESM addresses control 2.2, “Ensure Software is Supported by Vendor”, control 3.4, “Deploy automated Operating System Patch Management Tools”, and control 3.5, “Deploy Automated Software Patch Managment Tools.”
Similarly for the NIST Cybersecurity Framework v1.1, ESM addresses category PR.MA: “Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.”
How long will ROS Kinetic be maintained?
ROS Kinetic and Ubuntu 16.04 LTS will still be supported beyond its free initial five-year maintenance period in April 2021 for three more years, as it transitions to the extended security maintenance phase. Keep receiving security updates and CVE fixes for ROS Kinetic with ROS ESM.
What CVEs will receive patches?
ESM is focused on fixing high and critical CVEs. Low and medium updates typically have a mitigation path.
Do ROS ESM updates execute automatically on the device?
ROS ESM follows the standard Ubuntu update process. ESM does not push updates to devices. Rather, subscribers pull them or explicitly enable automatic updates. With ROS ESM you can decide whether to consume exclusively security updates or both security updates and bug fixes.
As an ROS ESM user, you also get access to Livepatch, Canonical’s service to apply critical kernel patches without rebooting.
Which hardware platforms are supported under Ubuntu ESM?
Currently, we are maintaining the Ubuntu Cloud/Server 64-bit AMD/Intel binaries. We will extend support for other platforms in future updates.