Everything that’s in main gets released to everyone with the security fixes. Canonical’s security team works on those.
The stuff in the universe repo is owned by the Ubuntu community (not by Canonical), so anyone can submit those fixes, but it depends on the Masters of the Universe, who are all volunteers, to get it upstreamed.
The extra Ubuntu Pro updates for the universe repo come from when someone who’s paying for Ubuntu Pro asks Canonical to make a patch. The source is still available to anyone, so someone could take that patch and then submit it to the community who maintains the universe repo.
Once the 5 years of standard support ends, then the only way to get additional fixes is through Ubuntu Pro, but if Canonical writes those fixes they also submit them back upstream (as opposed to if they grab a specific patch from upstream — and even then it’s still available on Launchpad regardless.
The reason nobody’s made a CentOS but for Ubuntu Pro is that it’s way easier to submit the patches through the community (and become part of that community who approves packages) than it is to spin up all the infrastructure that would be needed.
But why are the patches kept separate at all. Especially if it’s a copyleft licensed code they’re patching. Many of those require release of the code. And the spirit of that was to make companies who profit off of the code release anything they add as they add it. Otherwise, they’re welcome to instead of taking open source code and patching it, creating closed source code from scratch without using any of the code from the open source version and selling that. It’s very simple. The license says, you want this code, you’re welcome to it, but release any fixes or improvements you make do we all benefit, not just developers, but users all benefit. If they keep it locked up, even if they release it as a patch that’s not accessible to the large majority of users, then it’s violating the spirit if in some cases not the letter of the license.
Those patches get either pulled from upstream or built in-house and shared to upstream. Just like in Debian, and just like in the regular Ubuntu releases, the package is based on some upstream version and then the deb packaging applies the patch sets as listed in the diff tarball.
Everything that’s in
maingets released to everyone with the security fixes. Canonical’s security team works on those.The stuff in the
universerepo is owned by the Ubuntu community (not by Canonical), so anyone can submit those fixes, but it depends on the Masters of the Universe, who are all volunteers, to get it upstreamed.The extra Ubuntu Pro updates for the
universerepo come from when someone who’s paying for Ubuntu Pro asks Canonical to make a patch. The source is still available to anyone, so someone could take that patch and then submit it to the community who maintains theuniverserepo.Once the 5 years of standard support ends, then the only way to get additional fixes is through Ubuntu Pro, but if Canonical writes those fixes they also submit them back upstream (as opposed to if they grab a specific patch from upstream — and even then it’s still available on Launchpad regardless.
The reason nobody’s made a CentOS but for Ubuntu Pro is that it’s way easier to submit the patches through the community (and become part of that community who approves packages) than it is to spin up all the infrastructure that would be needed.
But why are the patches kept separate at all. Especially if it’s a copyleft licensed code they’re patching. Many of those require release of the code. And the spirit of that was to make companies who profit off of the code release anything they add as they add it. Otherwise, they’re welcome to instead of taking open source code and patching it, creating closed source code from scratch without using any of the code from the open source version and selling that. It’s very simple. The license says, you want this code, you’re welcome to it, but release any fixes or improvements you make do we all benefit, not just developers, but users all benefit. If they keep it locked up, even if they release it as a patch that’s not accessible to the large majority of users, then it’s violating the spirit if in some cases not the letter of the license.
…that’s not what they’re doing though?
Those patches get either pulled from upstream or built in-house and shared to upstream. Just like in Debian, and just like in the regular Ubuntu releases, the package is based on some upstream version and then the deb packaging applies the patch sets as listed in the diff tarball.
Here’s what the latest kernel for Ubuntu 26.04 look like: https://launchpad.net/ubuntu/+source/linux/6.17.0-6.6
Those same tarballs are available for any Ubuntu package by running
apt source <pkg>as long as you’ve configured the matchingdeb-srcrepositories.