[Bug 1788486] Re: apt behaviour when package with strict dependencies rules and version -gt in -updates than -security.

Julian Andres Klode 1788486 at bugs.launchpad.net
Wed Aug 29 14:15:02 UTC 2018 

Again: The security notice is about source packages, not binary
packages. libsystemd0 and systemd are both part of the systemd source
package, so obviously both need to be upgraded if installed.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1788486

Title:
  apt behaviour when package with strict dependencies rules and version
  -gt in -updates than -security.

Status in apt package in Ubuntu:
  Won't Fix
Status in landscape-client package in Ubuntu:
  Won't Fix
Status in apt source package in Xenial:
  Won't Fix
Status in landscape-client source package in Xenial:
  Won't Fix
Status in apt source package in Bionic:
  Won't Fix
Status in landscape-client source package in Bionic:
  Won't Fix

Bug description:
  [Impact]

  We notice that situation while investigating a security update using
  Landscape, but it also applies to 'apt' outside the Landscape context.

  'apt' should be smarter to detect/install packages with strict
  dependencies such as systemd[1] when a version is specified for
  upgrade (Ex: $ apt-get install systemd=229-4ubuntu-21.1).

  It should automatically install the dependencies (if any) from that
  same version as well instead of failing trying to install the highest
  version available (if any) while installing the specified version for
  the one mentionned :

  ========================
  $ apt-get install systemd=229-4ubuntu-21.1
  ....
  "systemd : Depends: libsystemd0 (= 229-4ubuntu21.1) but 229-4ubuntu21.4 is to be installed"
  =========================

  To face that problem :
  - Package with lower version should be found in -security ( Ex: systemd/229-4ubuntu21.1 )
  - Package with higher version should be found in -updates ( Ex: systemd/229-4ubuntu21.4 )
  - Package should have strict dependencies ( Ex: libsystemd0 (= ${binary:Version}) )
  - The upgrade should only specify version for the package, without it's dependencies. (Ex: $ apt-get install systemd=229-4ubuntu-21.1" #systemd without libsystemd0 depends)

  Using systemd is a good reproducer, I'm sure finding other package
  with the same situation is easy.

  It has been easily reproduced with systemd on Xenial and Bionic so
  far.

  [1] debian/control
  Depends: ${shlibs:Depends},
  ${misc:Depends},
  libsystemd0 (= ${binary:Version}),
  ...

  [Workaround]
  If package + dependencies are specified, the upgrade work just fine :

  Ex: $ apt-get install systemd=229-4ubuntu-21.1
  libsystemd0=229-4ubuntu-21.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1788486/+subscriptions

More information about the foundations-bugs mailing list