debcrafters-packages team mailing list archive

Thread
Date
[Bug 2004203] Please test proposed package

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Julian Andres Klode <2004203@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Sep 2025 18:28:53 -0000
Reply-to: Bug 2004203 <2004203@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Hello Ian, or anyone else affected,

Accepted needrestart into jammy-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/needrestart/3.5-5ubuntu2.5 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to needrestart in Ubuntu.
https://bugs.launchpad.net/bugs/2004203

Title:
  With needrestart, apt-get does not respect non-interactive instruction
  when upgrading services

Status in needrestart package in Ubuntu:
  Fix Released
Status in needrestart source package in Jammy:
  Fix Committed

Bug description:
  [ Impact ]

   * Servers and other systems running `unattended-upgrades` will not
  automatically restart services that use binaries that were updated,
  even when explicitly configured to do so. This may lead to security
  holes remaining open or other misbehaviour, until the machine or
  services are restarted for other reasons. This defeats the primary
  functionality of that package.

  [ Test Plan ]

   * Use an Ubuntu Jammy test system with typical configuration. I used
  a fresh LXD container.

   * Install `unattended-upgrades`. Ensure `needrestart` and `update-
  notifier-common` are also installed, but that should usually be the
  case.

   * Configure `needrestart` to automatically restart services:
     * Create `/etc/needrestart/conf.d/auto-restart.conf` with content:
          $nrconf{restart} = 'a';

   * Locate any package that some running service has an indirect dependency on (such as libc, libssl3, python, java, etc). Using something more uncommon like java might be easier than something that has a lot of dependencies like libc/libssl3.
      * In my case I chose `<dep>=libc6` and `<service>=cron`.

   * `apt list -a <dep>` to see other versions of the package. Usually
  there will be an older version available from the main repository,
  while the current version is from the update or security repository.

   * `sudo apt install <dep>=<version>` to explicitly downgrade the package to the older version. (You may need to select a different package, or more packages, to resolve conflicts or avoid removing other packages.)
      * Observe that the dependent services will be automatically restarted when you do this. (I checked this via the start time in `systemctl status <service>`.)

   * `sudo unattended-upgrade` to request immediate upgrade of outdated packages, which should reverse the above change.
      * Observe that while `/var/log/unattended-upgrades/unattended-upgrades-dpkg.log` reports `NEEDRESTART-SVC` as expected, the services in question are not actually restarted. (Again I confirmed this via `systemctl status <service>`.)

  [ Where problems could occur ]

      * There is a low chance of regressions given that the patch has
  been included in the packaged deb since kinetic.

      * Since this bug has been around for some time a number of users may have implemented workarounds in their scripts that this fix could break.
        * I have tested at least one workaround which was discussed on the associated github issue (https://github.com/liske/needrestart/issues/270) and confirmed that this fix does not break it. Namely running `needrestart -r a -f readline` after `unattended-upgrade` does not prompt and does not cause any additional restarts.

      * Someone could have been relying on the broken behavior to avoid
  automatic restarts. This seems unlikely, as it is directly against the
  described behavior of the package.

  [ Other Info ]

  Related: https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/2055280
  Related: https://github.com/liske/needrestart/issues/270
  Related: https://github.com/liske/needrestart/pull/214 (upstream patch)

  The debdiff has been updated since security patches were released
  since juergh's upload, but the fix is substantially the same.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/needrestart/+bug/2004203/+subscriptions