enterprise license

[Felipe Aleixo]

Hello everyone,

I work for a company that has several Proxmox servers installed.

However, the company does not want to purchase the enterprise license, and another technician wants to perform Proxmox updates using the no-subscription repository instead.

I recommended buying the official license, but there is always someone who wants to go against that recommendation.

My main question is: is updating Proxmox through the no-subscription repository considered safe for production environments? Could this approach cause problems or instability in the future?

I would appreciate hearing from people with real experience using this method in production environments.

 

[leesteken]

It's not a license (which is a legally very different thing) but a (support) subscription. The no-subscription repository is a little less time-tested and gets features and bugfixes sooner and more often. If there is a problem then it's usually fixed quickly compared to being on the enterprise repository. It's what most people run at home, which they call "production" as it runs their "critical" infrastructure like home automation and network routing. I use no-subscription mostly but did get a subscription to support Proxmox.

 

[UdoB]

is updating Proxmox through the no-subscription repository considered safe for production environments?

As so often: it depends.

If I run a company and I my services infrastructure is used in my office to make money and I want that to be possible with ~99.9 percent reliability (that's one workday per year) then I use the better tested subscription repository.

For my homelab that is not the case...

 

[Neobin]

is updating Proxmox through the no-subscription repository considered safe for production environments?

If your company wants to be a release candidate tester for the enterprise repository users and is fine with services being down when a "problematic" package, despite alpha (internal) and beta (test repository) testing (which can be assumed, is a relatively small audience), made its way into the no-subscription repository...

 

[d.oishi]

I also agree with what others have already said about the benefits of a subscription.
I would like to add one practical example that may help persuade people who are opposed to purchasing a subscription.

Recently, there was the following vulnerability/security advisory.

Post in thread 'Proxmox Virtual Environment - Security Advisories'

Apr 30, 2026

Subject: PSA-2026-00018-1: "copy.fail" local privilege escalation via AF_ALG socket​

Advisory date: 2026-04-30

Packages: proxmox-kernel-6.8, proxmox-kernel-6.14, proxmox-kernel-6.17

Details:

An issue published under the name "copy.fail" was found in the Linux kernel's handling of AF_ALG socket messages. An unprivileged local user could abuse this issue to write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root and potentially escape sandboxing mechanisms such as containers.

Mitigations:

Fixed kernel...

• ProxmoxSecurityAdvisory

At the time this security advisory was published, the no-subscription repository already contained the proxmox-kernel-7.0.0-*-pve kernel.
When users updated their systems to address this security advisory, those using the no-subscription repository could end up being moved to proxmox-kernel-7.0.0-*-pve as part of that process.
You can pin the kernel with `proxmox-boot-tool`, but that assumes a certain level of engineering knowledge, and there is also the risk that people forget they pinned the kernel and continue using it that way for too long.

By contrast, the enterprise repository provided the vulnerability-fixed proxmox-kernel-6.17.13-*-pve kernel without bringing in proxmox-kernel-7.0.0-*-pve, so the impact was minimal and it was possible to respond quickly.

That alone is already a meaningful advantage of the enterprise repository.
In addition, with the Basic plan or above, you can also receive ticket-based support.

 

[jabuzzard]

It's not a license (which is a legally very different thing) but a (support) subscription.

Presumption makes a fool of you and me.

In the UK, you might want to call it a subscription, but it is a legal license to use intellectual property with restrictions, which also comes with varying levels of access to support. Consequently, to me (a resident of the United Kingdom), it is factually correct to call it a license because that is exactly what it is. I suspect that, from a legal perspective, it is technically a mixture of a license and access to support in most legal jurisdictions. When your siblings are lawyers and judges, you constantly get disabused of this sort of legal misunderstanding.

 

[UdoB]

Well..., Proxmox (the company) does not offer any license: https://www.proxmox.com/en/products/proxmox-virtual-environment/pricing

And I believe they have chosen their wording very carefully.

 

[leesteken]

In the UK, you might want to call it a subscription, but it is a legal license to use intellectual property with restrictions, which also comes with varying levels of access to support.

The Proxmox VE software is open-source under the free AGLP3.0 license [UK: licence] (which does not come with varying level of support) and comes with all features enabled. The support subscription (with zero or more yearly support tickets) is optional and sold separately. Please note that I'm not a lawyer and not from the UK, but this distinction between the free license to run and use the software (for an unlimited amount of time) and a paid support plan (by Proxmox or another company) is usually quite relevant (for other people and businesses).

EDIT: Maybe I took the definition of license too small by assuming it would be mandatory and for permission to run the software. I see now that you could call a permission to claim support (which has been paid for) also a license. And such a support-license could be fully optional and does not need to come from Proxmox at all.

 

[jabuzzard]

Well..., Proxmox (the company) does not offer any license: https://www.proxmox.com/en/products/proxmox-virtual-environment/pricing

And I believe they have chosen their wording very carefully.

The point I was making is yes they do. They may choose to call it something else, but legally in the UK, at least, it is a license.

 

[jabuzzard]

The Proxmox VE software is open-source under the free AGLP3.0 license (which does not come with varying level of support) and comes with all features enabled. The support subscription (with zero or more yearly support tickets) is optional and sold separately. Please note that I'm not a lawyer and not from the UK, but this distinction between the free license to run and use the software (for an unlimited amount of time) and a paid support plan (by Proxmox or another company) is usually quite relevant (for other people and businesses).

That is the point, you are not a lawyer, and while I am not a lawyer either, I keep getting disabused of notions like that by my siblings who are lawyers/judges, including on this very specific topic. Effectively, there are two licenses: one for the source code and another for access to the curated and tested binaries derived from it. You may call the second a "subscription", legally in the UK, it is a license.

Don't assume the legal situation where you live is the same as that where someone else lives, and consequently, don't "correct" them for potentially using correct English.

 

[gfngfn256]

From the Proxmox VE Subscription Agreement:

Important note:
(Re-)Distributing Software packages received under this Subscription Agreement to a third party or using
any of the subscription services for the benefit of a third party is a material breach of the agreement, even
if the open-source license applicable to individual software packages may give you the right to distribute
those packages (this limitation is not intended to interfere with your rights under those individual
licenses).

I believe, from a legal stand-point, jabuzzard appears to be correct, based on the highlighted text above.

 

[leesteken]

I believe, from a legal stand-point, jabuzzard appears to be correct, based on the highlighted text above.

The same binaries are also available on the no-subscription repository (if I'm not mistaken). Would sharing a (partial) list of (the older) versions, by version number and not the actual package, that are in the enterprise repository (at a time in between ISO releases) also be a beach of the agreement?
EDIT: I guess it could be considered to violate the spirit of it when someone using the enterprise repository shares the output of pveversion -v , which is sometimes asked during troubleshooting on this forum.

 

[gfngfn256]

The same binaries are also available on the no-subscription repository (if I'm not mistaken). Would sharing a (partial) list of (the older) versions, by version number and not the actual package, that are in the enterprise repository (at a time in between ISO releases) also be a beach of the agreement?

If an identical file is legally & readily available elsewhere, it is possible & likely that the above agreement would not be able to prohibit that distribution.
However that agreement is still legally a license, since it will limit to usage only & non-distribution of any non-available file.

 

[alexskysilk]

That is the point, you are not a lawyer, and while I am not a lawyer either, I keep getting disabused of notions like that by my siblings who are lawyers/judges, including on this very specific topic. Effectively, there are two licenses: one for the source code and another for access to the curated and tested binaries derived from it. You may call the second a "subscription", legally in the UK, it is a license.

I'm curious. is there a statute you can point me to? I'm not UK based but do support clients internationally; this would be of specific interest.

the AGPL is quite specific:

"Developers that use our General Public Licenses protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License which gives you legal permission to copy, distribute and/or modify the software."

"Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License."

it is not LEGAL for Proxmox GMBH to require or offer a license separate from the agpl.

"This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law."

"You are not required to accept this License in order to receive or run a copy of the Program. [...] However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so."

I assume that the contract license is valid UNLESS SUPERCEDED by local law; please do ask your lawyers and judge friends what local law is that- it would be most useful to be aware of.

 

[Johannes S]

My main question is: is updating Proxmox through the no-subscription repository considered safe for production environments? Could this approach cause problems or instability in the future?

To answer your actual question instead of rather pointless debate whether the subscription is actually a licence and vice versa (which doesn't really matter for your question): It depends. Can you live with the risc that you might get hit with a bug a user of the enterprise-repository never encountered due to it being discovered during the rollout to pve-no-subscription and fixed before pushing these new versions to pve-enterprise? This is not a theoretical issue btw, if you look in the forum there are more than enough reports from people who discovered a bug not triggered in the internal testing of Proxmox developers. So: You need to think, what's the worst impact an interruption of your services through a bug might cause? Can your business survive it? How long can it survive? Have you any plans how to rollback an update gone wrong (it might be even needed ro reinstall your PVE nodes and restore the containers and vms from a backup (you have backups havn't you)? Are you and your coworkers seasoned Linux admins who feel at home at the shell and are comfortable with troubleshooting Linux systems or are you more used to Click-Ops due to migrating from Vmware and mostly maintaining windows systems (1)? Depending on the answer it might give you better sleep to have a support subscription in case you get hit by a problem.

And these questions can only answered by you, nobody knows your business, it's requirements and trade offs you, your coworkers and management feel comfortable with.

Personally I feel comfortable with using ProxmoxVE without subscription in my homelab. If my place of work would ever migrate away from VMware to ProxmoxVE I would always push for a subscription though. I know that my knowledge is limited and if we ever would encounter an issue we can't solve ourselves I want to have the option to get support from the developers with a guaranteed reaction time.


(1) This is not a diss. Maintaining windows servers needs at least as much skills as a Linux system, if not more, to do it right. These skills are just not the same as for Linux I couldn't do this for example, but I pay my rent by maintaining Linux systems.