Do not get me wrong – I use Ubuntu and try to contribute to bugs (making and fixing). In fact, I am testing out 16.04 on my Chromebook and work computer right now (Fedora 23 is on my Home Desktop). However, I can’t find myself placing an Ubuntu server in production for one simple reason:
While Ubuntu has a good security team, I can’t recall in previous years a security patch introduced because an Ubuntu security individual found it. I do read about RedHat, SUSE, and Debian teams finding and submitting CVEs and patches; however it raises several questions as to why Ubuntu is not more seen in the discovery side.
Is it because Ubuntu relies heavily upon upstream security? That’s not a bad thing. It just needs to be more transparent if it is.
Is it because Ubuntu security team members label themselves as Debian security team? That’s not a huge problem – it just means their loyalty lies with upstream and not the current working branch.
Is it because Ubuntu makes backdoors? I hope not!
The absence in this particular area just makes me wonder if Security is top priority in Canonical or if it is an afterthought. This feeling is enough to keep me from deploying Ubuntu in production. I would rather use and support distributions that make a high priority on security patches as they are on my side to keep unauthorized access of my servers to zero.