[Bug 1883315] [NEW] Showing esm update as installable when esm is disabled
Andreas Hasenack
1883315 at bugs.launchpad.net
Fri Jun 12 19:21:53 UTC 2020
Public bug reported:
I came across a scenario where the output of `/usr/lib/update-notifier
/apt-check --human-readable` is showing some (not all) esm updates as
being installable when esm itself is disabled:
ubuntu at trusty-desktop:~$ sudo /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
456 updates can be installed immediately.
10 of these updates are provided through UA Infrastructure ESM.
378 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Enable UA Infrastructure ESM to receive 127 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
If you look carefully, you will see that it's contradicting itself by saying esm is enabled and disabled at the same time:
- 10 ESM updates can be installed immediately
- ESM is disabled, and if you enable ESM you will get 127 additional updates
I believe this comes from apt_check.py:253:
# now check for security updates that are masked by a
# canidate version from another repo (-proposed or -updates)
for ver in pkg.version_list:
if (inst_ver and apt_pkg.version_compare(ver.ver_str, inst_ver.ver_str) <= 0):
#print("skipping '%s' " % ver.VerStr)
continue
if isESMUpgrade(ver):
esm_updates += 1
if isSecurityUpgrade(ver):
security_updates += 1
break
I believe that is ignoring the fact that ESM is disabled. I added a pdb to check which package it was considering as an esm update, and the first response was dbus, which is in this peculiar state in the archive:
ubuntu at trusty-desktop:~$ apt-cache policy dbus
dbus:
Installed: 1.6.18-0ubuntu4.3
Candidate: 1.6.18-0ubuntu4.5
Version table:
1.6.18-0ubuntu4.5+esm1 0
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
1.6.18-0ubuntu4.5 0
500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
1.6.18-0ubuntu4.4 0
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
*** 1.6.18-0ubuntu4.3 0
100 /var/lib/dpkg/status
1.6.18-0ubuntu4 0
500 http://br.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
Maybe we just need to guard that isESMUpgrade(ver) call with "if
have_esm and isESMUpgrade(ver)"?
The other place in the code a bit up from the above which also
increments esm_updates isn't run in this scenario, so the 10 packages
must come from the check I highlighted above.
Other info:
update-notifier 0.154.1ubuntu8 from trusty-updates
ubuntu-advantage-tools 19.6~ubuntu14.04.4 from trusty-updates
ua is attached, but esm disabled:
ubuntu at trusty-desktop:~$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-infra yes disabled UA Infra: Extended Security Maintenance
fips yes n/a NIST-certified FIPS modules
fips-updates yes n/a Uncertified security updates to FIPS modules
livepatch yes disabled Canonical Livepatch service
Enable services with: ua enable <service>
Account: andreas.hasenack at canonical.com
Subscription: andreas.hasenack at canonical.com
** Affects: update-notifier (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/1883315
Title:
Showing esm update as installable when esm is disabled
Status in update-notifier package in Ubuntu:
New
Bug description:
I came across a scenario where the output of `/usr/lib/update-notifier
/apt-check --human-readable` is showing some (not all) esm updates as
being installable when esm itself is disabled:
ubuntu at trusty-desktop:~$ sudo /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
456 updates can be installed immediately.
10 of these updates are provided through UA Infrastructure ESM.
378 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Enable UA Infrastructure ESM to receive 127 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
If you look carefully, you will see that it's contradicting itself by saying esm is enabled and disabled at the same time:
- 10 ESM updates can be installed immediately
- ESM is disabled, and if you enable ESM you will get 127 additional updates
I believe this comes from apt_check.py:253:
# now check for security updates that are masked by a
# canidate version from another repo (-proposed or -updates)
for ver in pkg.version_list:
if (inst_ver and apt_pkg.version_compare(ver.ver_str, inst_ver.ver_str) <= 0):
#print("skipping '%s' " % ver.VerStr)
continue
if isESMUpgrade(ver):
esm_updates += 1
if isSecurityUpgrade(ver):
security_updates += 1
break
I believe that is ignoring the fact that ESM is disabled. I added a pdb to check which package it was considering as an esm update, and the first response was dbus, which is in this peculiar state in the archive:
ubuntu at trusty-desktop:~$ apt-cache policy dbus
dbus:
Installed: 1.6.18-0ubuntu4.3
Candidate: 1.6.18-0ubuntu4.5
Version table:
1.6.18-0ubuntu4.5+esm1 0
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
1.6.18-0ubuntu4.5 0
500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
1.6.18-0ubuntu4.4 0
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
*** 1.6.18-0ubuntu4.3 0
100 /var/lib/dpkg/status
1.6.18-0ubuntu4 0
500 http://br.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
Maybe we just need to guard that isESMUpgrade(ver) call with "if
have_esm and isESMUpgrade(ver)"?
The other place in the code a bit up from the above which also
increments esm_updates isn't run in this scenario, so the 10 packages
must come from the check I highlighted above.
Other info:
update-notifier 0.154.1ubuntu8 from trusty-updates
ubuntu-advantage-tools 19.6~ubuntu14.04.4 from trusty-updates
ua is attached, but esm disabled:
ubuntu at trusty-desktop:~$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-infra yes disabled UA Infra: Extended Security Maintenance
fips yes n/a NIST-certified FIPS modules
fips-updates yes n/a Uncertified security updates to FIPS modules
livepatch yes disabled Canonical Livepatch service
Enable services with: ua enable <service>
Account: andreas.hasenack at canonical.com
Subscription: andreas.hasenack at canonical.com
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1883315/+subscriptions
More information about the foundations-bugs
mailing list