If there’s a bug in SSH libraries that Canonical ships in Ubuntu, that is their distribution of that library even if they are not the primary authors. Canonical guarantees support for the software it ships, so they are obligated to fix it no matter what. Fixes are upstreamed to the primary author - the author never asked for their software to be included in that distribution so it’s not their problem to fix it for Ubuntu users.

This is a model that solves the problem the author is discussing.

Are we talking about, like, legal liability or just a feeling of social obligation?

I think with software supply chain, we’re talking about the former, and I don’t think Canonical has any legal liability toward me (who hasn’t paid them anything; although because I expect nothing I didn’t read the license in detail). In terms of feelings of social obligation it is much more complex, of course.

Social obligations are inherently weak is the point I’m trying to make. Make it easy for active users of your software to distribute it and make it harder for free-loaders. The problem solves itself.

Where does Canonical say they guarantee support? They might for their paid program, but they dont for their free version. Which is the exact point the author made

Ubuntu literally has LTS releases where they guarantee fixes for security issues and the like for absolutely no charge.

Yeah but thats not on demand support. They never say that you can demand a bugfix and they are obliged to provide it. Again, those bigfixes are provided as is. The author os talking about companies wanted to essentially raise tickets and get on demand support. Which no one in their right mind provides for free