It's not a new insight but still worth mentioning given that Ubuntu 16.04 LTS was released a couple of days ago: Although Canonical claims that LTS versions "are supported for five years on both the desktop and the server. During that time, there will be security fixes and other critical updates.", this is not the whole truth. An article on heise.de reminds again of the fact that this LTS support only applies to the main repository (with about 7.300 packages in 16.04), not to universe (with about 45.500 packages) . This is critical as many packages therein are no longer maintained and can therefore be affected by security holes. An example mentioned in that article is the widely used VLC. That package was officially supported for just 9 months in Ubuntu 12.04 and 14.04 but got security fixes for a longer time. However, this is no longer the case: That package is no longer maintained by the community and as a consequence affected by several vulnerabilities. Another example is the libmms package which is needed if you enable software support from 3rd-parties (e.g. for mp3 support). A serious vulnerability hasn't been fixed since Ubuntu 12.04! The thing is that those vulnerabilities are all fixed in Debian as all provided packages are maintained and security fixes are backported. You can find out the support status in Ubuntu by executing Code: ubuntu-support-status --show-unsupported or more detailed: Code: ubuntu-support-status --show-all | less You will notice that many packages are only supported for 3 years or even only 9 months. For specific packages you can see this from the "Supported:" line in Code: apt-cache show package The article mentions that even for well-known packages like MariaDB, Nodejs, Nullmailer, Privoxy, Wireshark and Docker the support status is either completely undefined or only 9 months. Conclusion: If you really want an LTS version and stick with Ubuntu, you should try to only use packages from the main repository. If you need packages from universe you should regularly check the Ubuntu CVE tracker for universe. Or chose a distro like Debian or CentOS which does it properly. P.S.: Debian (and probably also CentOS) isn't perfect, either. If you install the debian-security-support package and execute check-support-status you will also get a list of packages which don't get security updates. These are packages with "No security support upstream and backports not feasible, only for use on trusted content". This makes sense: If a package is no longer supported by upstream, no security fixes will be available which could be backported. But the situation on Ubuntu is much worse.