Security Stance On Unbutu Package Versions

This page explains The Philosophy of Stability vs. Versioning

Introduction

At Webscale, we prioritize the long-term stability and security of our customer environments. A frequent question arises: “Why is Webscale using an older version of Nginx instead of the latest mainline release?" To understand our stance, one must understand the trade-off between feature velocity and proven stability, and how the Linux ecosystem manages security through a process called “Backporting.”

The “Latest” vs. “Secure” Myth

In the world of consumer software (like phone apps), a higher version number almost always means better security. In enterprise server infrastructure, this isn’t always the case.

“Mainline” or “Latest” releases often include:

  • New Features: These introduce fresh code, which inevitably introduces fresh, undiscovered bugs.
  • Architectural Changes: These can break existing configurations or third-party modules.
  • Short Support Windows: Upstream developers move fast and often stop patching older “mainline” versions quickly.

Why Webscale Chooses Ubuntu LTS Packages

Webscale utilizes packages from Ubuntu’s Long Term Support (LTS) repositories. This choice is based on a “Stability-First” philosophy:

1. The Value of Canonical’s Vetting

When we use an official Ubuntu package, we aren’t just using a piece of software; we are leveraging the security team at Canonical. They act as a massive filter, rigorously testing security patches before they ever reach a production server. This offloads the risk of “regression” (where a security fix accidentally breaks a different feature) from Webscale and our customers onto a global team of specialists.

2. Backporting: Security Without the Risk

The most critical concept in our strategy is Backporting. Instead of jumping to a brand-new version of Nginx to get a security fix, the security patch is “backwards-ported” into the current, stable version.

This gives our customers the best of both worlds:

  • The security of the latest fix.
  • The stability of a version that has been running without issues for months or years.

Conclusion: Reliability as a Service

While it may appear that a system is “out of date” based on a version number, the underlying security posture is identical to the latest release, but with significantly lower operational risk. By sticking to vetted, backported packages, Webscale ensures that a security update never becomes a “breaking” update.


Last modified April 20, 2026