By not bundling upgrades with what is essentially malware, and making them as inconvenient as possible.

If I am running Ubuntu 10.04.4, and I hear about serious malware that relies on a security hole that is patched upstream, I have the opportunity to patch it myself, and keep running Ubuntu 10.04.4 as long as I want.

That being said, it's disingenuous to compare unpatched Windows 10 with unpatched Ubuntu 10.04. It is totally unreasonable to think you are secure using an unsupported OS, but it is a lot more reasonable to think you are secure running Windows 10 just a couple months out of date.

I do think that's important to recognize that there is model under which an organization can. I'd even argue that it's a more "free market" than that of single-source proprietary software, too. If there's a market in maintaining non-proprietary software someone will pop up to fill it (even if it's just a lone-wolf consultant). With proprietary software that can't happen.

Whether or not an organization or individual chooses to maintain software is an orthogonal concern to the model under which they maintain it. Even when there is a free market for maintenance some will opt to eschew maintenance. Personally, I'd like those organizations to pay the cost by way of data loss, downtime, going out of business, etc.

I'm not overly worried about it. I think traditional regulatory and risk management will eventually catch up. Someday (hopefully sooner, rather than alter) businesses won't be able to get basic insurance policies unless they can prove they're doing IT maintenance, for example.

Even if you pay money for the windows 10, it is unlikely to even start on the hardware that XP ran on. Not only will the people have to go through the budget to pay for the software, but now you need a full upgrade plan.

To put this in a concrete example. If a hospital had a check-in system running 12.04 they could just take someone internal from IT and go and fix it. If it was Windows XP then they need to go through finance, then get a offers from competing companies, fitting the upgrading into the budget, and last have people installing it in each of the hospitals entrances. The first case has a project length of days and the other of months and in worst case years.

> Assuming these hospitals keep updating and do not get stuck at Ubuntu 10.04.

It's that simple.

If someone wants to continue using outdated software, they will want to keep supporting it. Free software lets them do that. Proprietary software specifically forbids it.

So, 1. because there is a community outside of a major corp who are active, so it isn't a burden on Canonical. 2. yes? see 1.

Should any IT professional not have upgraded from 10.04? No. It's free to upgrade, unlike Win which, remember, isn't a single upgrade, licensing is per user.

For cost, CentOS, on it's own, is free. Support costs you of course, but the updates are coming down from RedHat for which there is enough money flowing in already, so support in this case means a sysadmin who understands CentOS and those are not that rare, not even that expensive.

Backwards compability is another topic, especially with the rise of systemd.

If the corresponding software is not included in any official or semi-official repositories (EPEL, for example), but is distributed with source, you may need someone to recompile it every 11 years, when you change mayor versions. I think this is reasonable to expect, though there might be issues for certain, especially if it involves Gnome3.

For those that are distributed without source code - well, that is the same problem as with XP, but usually it's possible to strace why it fails and fix/replace/dosomemagic with the underlying libraries it's depending on.

When this is not possible you can still create a container image with the old code to run it with.

With all the power out there even in the office workstations we could:

- install a base, damn stupid linux as hypervisor

- run windows in virtualbox with shared folders

- use btrfs for the shared folders and keep daily snapshots for a few weeks

If you get a virus, drop the image, get a new one, restore the snapshot, done.

If anyone is already using something like this, please tell, I'm curious.

Eh, Never. Not even for open source. Once the source is closed, it is no longer open source (and neither free software).

For a software to be open source, the user should have a way to obtain the source code legally (That is, a stolen source code won't make a software open source).

For the software to be free software, the user should have the freedom to (modify and) replace the software with the user's version of the software (of course, source code availability is pre-requisite for this).

Say for example, your router, Android phone, TV, Car, or your espresso machine could be running Linux which is open source. You get the source code of those over the Internet or from the vendor on request. But you may not be allowed to change it. So you are always on the mercy of the vendor if something happen (like the one happening now). They are open source, but they are not free software. (GNU [A]GPLv3 enforces this freedom. Some like it, some don't).

A software can be free or non-free based on where the code is run, not just whether you get the source or not.

This is freedom 1 by free software definition:

The freedom to study how the program works, and change it so it does your computing as you wish.

See https://www.gnu.org/philosophy/free-sw.html for more details.

Open source would be the term for that. Free requires end users to receive source, open just allows you to use the source if you have a copy.