Security updates for the universe repository for LTS releases?

Packages in Universe are community maintained. Whether or not they get security updates depends entirely on the community who uses them.

Instructions for contributing security updates for packages in Universe are here:

https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing_an_update

Basically, anybody can file a bug, attach a debdiff, subscribe the ubuntu-security-sponsors team and someone from the team will look at it to make sure it's ok, and then sponsor it to the archive.


The example you provided, Ruby, is in the main repository and is supported for five years:

$ apt-cache show ruby | grep -E "(^Supported|pool)"
Filename: pool/main/r/ruby-defaults/ruby_4.8_all.deb
Supported: 5y

See also my answer to "Does 12.04 LXDE have LTS?" and How do I get a list of non-LTS packages installed efficiently?.

For software from universe, it's not even supported officially at all, let alone for five years. From the Community Wiki on the repositories:

Canonical does not provide a guarantee of regular security updates for software in the universe component, but will provide these where they are made available by the community.

However, you can expect most severe issues on popular packages being patched by the community maintaining the software in universe. Just no guarantees.

For the backports my view is that these should not be used in production.