ESM for ROS: 10 things you need to know

This article provides a concise, 10-point guide designed to help you determine if ESM (Expanded Security Maintenance) is the right choice for your robotics project. 

With the End of Life of ROS Noetic, we have received many questions from people in the robotics community who are interested in learning about Expanded Security Maintenance for ROS (ESM for ROS).

In brief, Expanded Security Maintenance lengthens the support period for ROS LTS (long-term support) releases to 15 years, when used on Ubuntu. But is ESM the right option for you?

In this blog, we’ll give you the essential rundown of ESM for ROS in 10 easy-to-follow points, to help you make the right decision for your robotics project.

1. What is ESM for ROS? 

ESM for ROS (Expanded Security Maintenance for ROS) is a service by Canonical that provides security maintenance for ROS LTS releases for up to 15 years, going beyond the standard 5 year support period offered by the upstream project.

Expanded Security Maintenance is available through Ubuntu Pro, Canonical’s comprehensive subscription for open source security. In addition to a longer support period, users of ROS on Ubuntu benefit from a broader scope of patching, for 25,000 packages from the wider open source universe, including: 

• Key infrastructure components (such as Python, OpenSSL, OpenVPN, network-manager, sed, curl, systemd, udev, bash, OpenSSH, login, libc, etc)
• Open source applications and libraries (such as Boost, Qt, OpenCV, PCL, cython, Eigen, GTK, FFMPEG, etc).

2. What else is included in an Ubuntu Pro subscription?

In addition to Expanded Security Maintenance (ESM), an Ubuntu Pro subscription provides a set of enterprise-grade tools for managing systems, maintaining uptime, and meeting security requirements.

• Landscape: Canonical’s centralized systems management and monitoring tool for your Ubuntu infrastructure. 
• Canonical Livepatch: enables the application of critical kernel security patches without requiring a system reboot.
• Security automation: facilitates system hardening and compliance with industry standards like FIPS and CIS.
• Real-time Kernel: supports specialized, time-sensitive operations through a low-latency kernel.
• Support: an optional add-on for technical assistance from Canonical’s engineering team.

To discuss which option works best for you, we recommend getting in touch with our team.

3. Is ESM for ROS right for me?

We often get asked whether it’s better to opt for ESM, or to upgrade to the latest ROS LTS release. The answer is that it depends on your use case. 

For robotics projects that operate in high-pressure environments, strict compliance requirements and time-sensitive operations are a daily reality, meaning that upgrades can be highly disruptive and carry a large degree of risk. 

ESM for ROS is intended to give these organizations the breathing space to focus on their core work, on a stable and supported foundation. This service is specifically engineered to help teams meet rigorous regulatory requirements, including FIPS and the Cyber Resilience Act (CRA), without the immediate need for platform migrations.

However, other organizations may prefer to upgrade. This option is usually preferred by those who want the latest features as soon as they are available, and have the CI/CD maturity to move fast without disruption to business. Whichever option you choose, you can count on our commitment to your projects, and to ROS.

4. How long will ROS Noetic be maintained?

ROS Noetic and Ubuntu 20.04 LTS reached their end of standard support in 2025. However, with ESM for ROS, they will be supported for up to 15 years, until April 2035. 

5. Which other ROS distributions are supported by ESM for ROS?

We support ROS 1 Kinetic, Melodic and Noetic, as well as ROS 2 Foxy. Newer ROS distributions will also be supported when they are released. 

• ROS Kinetic and Ubuntu 16.04 LTS reached EOL in 2021. With ESM for ROS, they will be supported for up to 10 years until April 2031. 
• ROS Melodic, ROS 2 Foxy and Ubuntu 18.04 LTS reached EOL in 2023. With ESM for ROS, they will be supported for up to 15 years until April 2033. 

Visit our dedicated web page for a list of supported architectures with ESM

6. Which ROS packages are covered by ESM for ROS?

ESM for ROS focuses on core ROS functionality, which means the following: 

• ESM for ROS covers the REP-142 ‘ros_base’ for ROS 1 and its equivalent ‘ros_base’ for ROS 2. 
• This includes packages such as python-catkin, python-rosdep, ros-${ROS_DISTRO}-ros-core…, ros-${ROS_DISTRO}-genmsg/rosbag…, per supported ROS distribution.

ESM for ROS only applies to ROS on Ubuntu. ESM cannot be used if you are running ROS on another operating system. 

7. How do I get ESM for ROS?

ESM for ROS is available with an Ubuntu Pro subscription, which is free for personal users on up to 5 machines.

For businesses, Ubuntu Pro for Devices provides a straightforward pricing structure for those operating large fleets of devices, with a one-time fee per device. 

To discuss pricing and determine the right option for you, get in touch with our team.

8. How do I consume ESM for ROS updates?

You can choose to consume solely security-related updates, or opt for both security updates and bug fixes. In essence, you do not have to make changes to your current ROS workflow. ESM for ROS sets up a new PPA for you to consume updates. This reduces downtime or resources needed to migrate to ESM for ROS. 

For further detail on configuring updates with ESM for ROS, visit our user introduction document.

9. Does ESM for ROS automatically apply updates on the device? 

ESM for ROS follows the standard Ubuntu update process. ESM for ROS does not push updates to devices by default. Rather, subscribers pull them or can explicitly enable automatic updates. With ESM for ROS, you can decide whether to consume security updates only, or both security updates and bugfixes. 

As a user of ESM for ROS, you also get access to Livepatch, Canonical’s service to apply critical kernel patches without rebooting.

10. What’s involved in ESM for ROS vulnerability monitoring?

ESM for ROS uses static analysis tools that run on a weekly basis. These tools scan all the code included in ESM for ROS for vulnerabilities. Common vulnerabilities and exposures (CVE) are triaged by Canonical’s Security team as soon as they are reported, and assigned a level of criticality, from Negligible to Critical. Learn more about the ESM security process 

After applying a patch, any proof of concepts for the issue are run again to make sure it can no longer be reproduced. Then, the patched version is thoroughly tested once again to ensure functionality has not been affected and to ensure API/ABI stability whenever possible.

Get started with ROS security scanning

Summary

We hope this blog has answered your questions related to ESM for ROS. If you want to talk to us about whether ESM for ROS is right for you, get in touch with our team. 

Further reading

• What is ROS?
• Key considerations when choosing a robot’s operating system

Get ESM for ROS