[Bug 1370416] Re: Security updates are not marked as security

Axel Beckert abe at debian.org
Sun Apr 8 12:53:59 UTC 2018 

Hi,

Rolf Leggewie wrote:
> I would look into pinning, can this possibly help here?

No, this has nothing to do with pinning at all.

This is a known issue with aptitude. Have a look at the function
is_security() in src/generic/apt/apt.cc: aptitude only regards as
security update if the repository is from security.debian.org or
security.*.debian.org, at least in Debian.

So I assume that Ubuntu patches those lines towards
security.ubuntu.com as used in his German sources.list.

But his "central" sources.list doesn't have security.ubuntu.com
anywhere. He uses e.g. "deb http://archive.ubuntu.com/ubuntu
trusty-security main restricted" there. And hence it's not recognised.

I thought there was an upstream (Debian) bug report about that (as I
am aware of the issue :-), but I couldn't find it on a first glance.

Will file one and link it here.

		Regards, Axel (with his aptitude hat on)
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to aptitude in Ubuntu.
https://bugs.launchpad.net/bugs/1370416

Title:
  Security updates are not marked as security

Status in aptitude package in Ubuntu:
  Confirmed
Status in muon package in Ubuntu:
  Confirmed

Bug description:
  I have two machines, both on Kubuntu 14.04 amd64, one on the German package server, one on the central one.
  /etc/apt/sources.list for German server attached, for English server will follow in a comment because I can only attach one to the initial report
  /etc/apt/sources.list.d is empty

  Both have the same version of openjdk-7-jre installed according to aptitude (7u65-2.5.1-4ubuntu1~0.14.04.2).
  Both show an update to 7u65-2.5.2-3~14.04 in aptitude.
  However, the one with the German server shows it as security update according to aptitude, while the central server shows it as regular update. The package list was updated on both in the same interval of a few seconds.
  Why?
  [Notice that this might affect other packages, I am seeing more differing updates, only bothering to check the versions for this one.]

  Notice that this was preceded by weeks of aptitude telling me about
  bad signature / bad checksum when updating the package list (which
  made me switch the server to central server on one machine), and your
  recent update of apt which seemed to fix security issues in apt
  according to the changelog. This is very suspicious to me. Are you
  hacked? Am I being hacked? I work on a high value target software
  (Internet anonymization), so this scares me.

  Please reply soon if you need further information about the state of
  my apt, I can only postpone the security updates for a short time, and
  afterwards the state of apt might have changed in a way which makes it
  impossible to debug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aptitude/+bug/1370416/+subscriptions

More information about the foundations-bugs mailing list