group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #39487
[Bug 1883315] Re: Showing esm update as installable when esm is disabled
This bug was fixed in the package update-notifier - 3.192.40.1
---------------
update-notifier (3.192.40.1) hirsute; urgency=medium
[ Lucas Moura ]
* data/apt_check.py:
- Add support to handle packages from ESM Apps in addition to ESM Infra
and only display alerts if the distro is ESM. (LP: #1924766)
- Do not display a count of ESM packages if the system does not have ESM
enabled. (LP: #1883315)
- Make distinction between standard security updates and ESM updates
when performing package counts. (LP: #1926208)
- use 'applied' instead of 'installed', redact 0 of these updates are
security updates, and correct singular messages
* debian/control: Add a dependency on python3-distro-info.
-- Chad Smith <chad.smith@xxxxxxxxxxxxx> Thu, 22 Apr 2021 17:47:19
-0600
** Changed in: update-notifier (Ubuntu Hirsute)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1883315
Title:
Showing esm update as installable when esm is disabled
Status in update-notifier package in Ubuntu:
Fix Released
Status in update-notifier source package in Xenial:
Fix Released
Status in update-notifier source package in Bionic:
Fix Released
Status in update-notifier source package in Focal:
Fix Released
Status in update-notifier source package in Groovy:
New
Status in update-notifier source package in Hirsute:
Fix Released
Status in update-notifier source package in Impish:
Fix Released
Bug description:
[Impact]
when users are getting the message update-notifier message through apt-check they may find inconsistent behavior regarding ESM products. This is misleading since we will say to the users that they don't have ESM Infra, but they do have ESM infra packages that can be installed. This is poor marketing of our products
[Test case]
To reproduce the issue, you can:
1. Launch the following old version of a xenial container:
lxc launch ubuntu:f4c4c60a6b752a381288ae72a1689a9da00f8e03b732c8d1b8a8fcd1a8890800 dev-x
2. Run apt update and install the updated version of update-notifier-common
3. Add the ubuntu-advantage-tools ppa:
https://code.launchpad.net/~ua-client/+archive/ubuntu/daily
4. Install ubuntu-advantage-tools
5. Install the latest version of uaclient from the stable ppa:
https://launchpad.net/~ua-client/+archive/ubuntu/stable/
6. Comment out all mentions of xenial-security in /etc/apt/source.list
7. Run apt update
8. Run /usr/lib/update-notifier/apt-check --human-readable
9. See a message like this:
UA Infra: Extended Security Maintenance (ESM) is not enabled.
256 packages can be updated.
5 of these updates are fixed through UA Infra: ESM.
5 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Enable UA Infra: ESM to receive 5 additional security updates.
See https://ubuntu.com/security/esm or run: sudo ua status
To verify that the error is fixed:
1.Perform all the stages above until step 8
2 Install the new update-notifier from this ppa:
https://launchpad.net/~lamoura/+archive/ubuntu/update-notifier-test-ppa
3. Run /usr/lib/update-notifier/apt-check --human-readable
4. See a message like this:
256 updates can be installed immediately.
5 of these updates are security updates.
To see these additional updates run: apt list --upgradable
5. We are now only showing ESM infra specific message if the distro is
ESM. To enforce that behavior, make the `is_esm_distro` function in
`/usr/lub/update-notifier/apt-check` return True, then you will see
this message:
UA Infra: Extended Security Maintenance (ESM) is not enabled.
256 updates can be installed immediately.
5 of these updates are security updates.
To see these additional updates run: apt list --upgradable
5 additional security updates can be applied with UA Infra: ESM
Learn more about enabling UA Infra: ESM service at https://ubuntu.com/esm
That is now correct.
[Where problems could occur]
The changes in this package should only be seen when MOTD is getting a
new message. If that script fails for some reason, it seems that MOTD
will only not present the message, which is doesn't seem to be a
system critical issue. Additionally, we would potentially have
tracebacks in the update-notifier logs. Finally, if the logic is also
incorrect, we would be displying incorrect ESM messages to the user.
But since we are doing this now, as this bug shows, I don't think this
is critical as well.
[Discussion]
With ESM Apps going to production soon, we have decided to update the
messages delivered by update-notifier apt-check to address the package
count of ESM Apps and the possibility of installing more upgrades if
the user has ESM Apps disabled.
We are also updating other parts of the messaging as well. First, we only display ESM Infra status
on ESM distros. However, we will keep showing the ESM Infra package count on all of them.
For ESM Apps, we are only performing the alerts (For example, that you
might have x packages updates if ESM Apps is installed) if the user is
on a LTS distro.
Since we going to perform that change, we decided to also address this
bit in the SRU, since it could harm the message we are delivering
[Original Report]
I came across a scenario where the output of `/usr/lib/update-notifier/apt-check --human-readable` is showing some (not all) esm updates as being installable when esm itself is disabled:
ubuntu@trusty-desktop:~$ sudo /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
456 updates can be installed immediately.
10 of these updates are provided through UA Infrastructure ESM.
378 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Enable UA Infrastructure ESM to receive 127 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
If you look carefully, you will see that it's contradicting itself by saying esm is enabled and disabled at the same time:
- 10 ESM updates can be installed immediately
- ESM is disabled, and if you enable ESM you will get 127 additional updates
I believe this comes from apt_check.py:253:
# now check for security updates that are masked by a
# canidate version from another repo (-proposed or -updates)
for ver in pkg.version_list:
if (inst_ver and apt_pkg.version_compare(ver.ver_str, inst_ver.ver_str) <= 0):
#print("skipping '%s' " % ver.VerStr)
continue
if isESMUpgrade(ver):
esm_updates += 1
if isSecurityUpgrade(ver):
security_updates += 1
break
I believe that is ignoring the fact that ESM is disabled. I added a pdb to check which package it was considering as an esm update, and the first response was dbus, which is in this peculiar state in the archive:
ubuntu@trusty-desktop:~$ apt-cache policy dbus
dbus:
Installed: 1.6.18-0ubuntu4.3
Candidate: 1.6.18-0ubuntu4.5
Version table:
1.6.18-0ubuntu4.5+esm1 0
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
1.6.18-0ubuntu4.5 0
500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
1.6.18-0ubuntu4.4 0
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
*** 1.6.18-0ubuntu4.3 0
100 /var/lib/dpkg/status
1.6.18-0ubuntu4 0
500 http://br.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
Maybe we just need to guard that isESMUpgrade(ver) call with "if
have_esm and isESMUpgrade(ver)"?
The other place in the code a bit up from the above which also
increments esm_updates isn't run in this scenario, so the 10 packages
must come from the check I highlighted above.
Other info:
update-notifier 0.154.1ubuntu8 from trusty-updates
ubuntu-advantage-tools 19.6~ubuntu14.04.4 from trusty-updates
ua is attached, but esm disabled:
ubuntu@trusty-desktop:~$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-infra yes disabled UA Infra: Extended Security Maintenance
fips yes n/a NIST-certified FIPS modules
fips-updates yes n/a Uncertified security updates to FIPS modules
livepatch yes disabled Canonical Livepatch service
Enable services with: ua enable <service>
Account: andreas.hasenack@xxxxxxxxxxxxx
Subscription: andreas.hasenack@xxxxxxxxxxxxx
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1883315/+subscriptions
