Security Support for Debian 3.1 to be terminated

That's a good point about Ubuntu - the lack of security updates for Universe could be an
issue.  Basically for anything security sensitive in Universe, you need to track another
source of updates, which could be Debian or directly from upstream.  However, the Ubuntu
statement on all this makes it clear that if upstream does a security fix, Universe should
pull this in.

I'm curious why Ubuntu doesn't provide security updates for as many packages as Debian, though
...  anyone know the answer?

Multiverse is for unsupported binaries, so it's best to go direct to the vendor (e.g. Opera
has its own repository which works nicely with APT), and Restricted is for supported binaries
such as some video drivers.

If you have a server, it's worth ensuring that everything you need is in the main part of
Ubuntu - if there are additional packages that are security sensitive, it's worth tracking
public alert lists or the specific alert lists from upstream.

For desktops, you still need to exercise a little care in choice Universe components, but the
real risk of compromise is very low as most vulnerabilities would be through desktop clients
such as web, email, PDF readers, media players, etc, and of course those mostly target Windows
and Mac - at least for now.  (I just encountered another friend's Windows PC that had a
particularly nasty piece of spyware called Vundo that is not prevented or fixed by their up to
date Norton Internet Security package - instead you need to download some freeware to fix it,
and use Firefox to avoid getting it in the first place...  if this was an Ubuntu box it would
not have had spyware in the first place.)