What is End-of-Life Software?

In this blog post, we will discuss what it means for a software to be end-of-life, different terminologies around software support, and the muddy territory of open source software and end-of-life.

tldr

Roughly EOL == EOS ∈ Deprecated ∈ Unmaintained

What is end-of-life (EOL) software?

End-of-life software are software that are explicitly marked as no longer supported by their publishers. For example, Ubuntu 18.04 became end-of-life on May 31st, 2023 meaning Canonical will no longer provide bug fixes or security patches to this distribution starting June 1st, 2023.

There are exceptions though such as when Windows 10 became end-of-life, Microsoft decided that to still release security patches due to the prevalence of this distribution. However, this is not something that can be consistently relied upon and is entirely at the discretion of the publisher and the severity of security flaws uncovered.

What about end-of-support (EOS)? Deprecated? Unmaintained?

End-of-support software generally means the same thing as end-of-life. EOS software no longer receive any official support such as bug fixes or security patches from their publishers.

Deprecated software is a much more general term that usually refers to software that are no longer recommended to be used or are slated to become end-of-life at a future date. Now this is not a definitive definition (as with most things language related) and different publishers will have different expectations for deprecation.

Unmaintained software is similar to EOL/EOS and deprecated software but usually reached this state gradually and informally as publishers cease support over time. For example, while a publisher will explicitly call out software that will be EOL, they could just stop maintaining a software and let it naturally become unmaintained over time.

What about EOL and open source software?

Things become a bit muddier with non-commercial open source software (can also be referred to as packages, dependencies, etc). The incentives to address security issues for open source projects can vary greatly. Some projects have strong community support and maintenance while others don't. The large variance in support makes drawing a clear line on whether an open source project is still receiving support more art than science and why understanding other factors such as deprecation and contributor activity more important.

OSSF Scorecard attempts to address this with a maintenance score for open source projects based on recent contributor activities. This is still evolving as contributor activity is a proxy and does not guarantee security best practices and timely fixes.