← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1883315] Re: Showing esm update as installable when esm is disabled

 

Ubuntu 20.10 (Groovy Gorilla) has reached end of life, so this bug will
not be fixed for that specific release.

** Changed in: update-notifier (Ubuntu Groovy)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1883315

Title:
  Showing esm update as installable when esm is disabled

Status in update-notifier package in Ubuntu:
  Fix Released
Status in update-notifier source package in Xenial:
  Fix Released
Status in update-notifier source package in Bionic:
  Fix Released
Status in update-notifier source package in Focal:
  Fix Released
Status in update-notifier source package in Groovy:
  Won't Fix
Status in update-notifier source package in Hirsute:
  Fix Released
Status in update-notifier source package in Impish:
  Fix Released

Bug description:
  [Impact]
  when users are getting the message update-notifier message through apt-check they may find inconsistent behavior regarding ESM products. This is misleading since we will say to the users that they don't have ESM Infra, but they do have ESM infra packages that can be installed. This is poor marketing of our products

  [Test case]

  To reproduce the issue, you can:

  1. Launch the following old version of a xenial container:
     lxc launch ubuntu:f4c4c60a6b752a381288ae72a1689a9da00f8e03b732c8d1b8a8fcd1a8890800 dev-x

  2. Run apt update and install the updated version of update-notifier-common
  3. Add the ubuntu-advantage-tools ppa:
     https://code.launchpad.net/~ua-client/+archive/ubuntu/daily
  4. Install ubuntu-advantage-tools
  5. Install the latest version of uaclient from the stable ppa:
     https://launchpad.net/~ua-client/+archive/ubuntu/stable/
  6. Comment out all mentions of xenial-security in /etc/apt/source.list
  7. Run apt update
  8. Run /usr/lib/update-notifier/apt-check --human-readable
  9. See a message like this:
     
  UA Infra: Extended Security Maintenance (ESM) is not enabled.

  256 packages can be updated.
  5 of these updates are fixed through UA Infra: ESM.
  5 of these updates are security updates.
  To see these additional updates run: apt list --upgradable

  Enable UA Infra: ESM to receive 5 additional security updates.
  See https://ubuntu.com/security/esm or run: sudo ua status

  
  To verify that the error is fixed:

  1.Perform all the stages above until step 8
  2 Install the new update-notifier from this ppa:
    https://launchpad.net/~lamoura/+archive/ubuntu/update-notifier-test-ppa
  3. Run /usr/lib/update-notifier/apt-check --human-readable
  4. See a message like this:

  256 updates can be installed immediately.
  5 of these updates are security updates.
  To see these additional updates run: apt list --upgradable

  5. We are now only showing ESM infra specific message if the distro is
  ESM. To enforce that behavior, make the `is_esm_distro` function in
  `/usr/lub/update-notifier/apt-check` return True, then you will see
  this message:

  UA Infra: Extended Security Maintenance (ESM) is not enabled.

  256 updates can be installed immediately.
  5 of these updates are security updates.
  To see these additional updates run: apt list --upgradable

  5 additional security updates can be applied with UA Infra: ESM
  Learn more about enabling UA Infra: ESM service at https://ubuntu.com/esm

  That is now correct.

  [Where problems could occur]

  The changes in this package should only be seen when MOTD is getting a
  new message. If that script fails for some reason, it seems that MOTD
  will only not present the message, which is doesn't seem to be a
  system critical issue. Additionally, we would potentially have
  tracebacks in the update-notifier logs. Finally, if the logic is also
  incorrect, we would be displying incorrect ESM messages to the user.
  But since we are doing this now, as this bug shows, I don't think this
  is critical as well.

  [Discussion]

  With ESM Apps going to production soon, we have decided to update the
  messages delivered by update-notifier apt-check to address the package
  count of ESM Apps and the possibility of installing more upgrades if
  the user has ESM Apps disabled.

  We are also updating other parts of the messaging as well. First, we only display ESM Infra status
  on ESM distros. However, we will keep showing the ESM Infra package count on all of them.

  For ESM Apps, we are only performing the alerts (For example, that you
  might have x packages updates if ESM Apps is installed) if the user is
  on a LTS distro.

  Since we going to perform that change, we decided to also address this
  bit in the SRU, since it could harm the message we are delivering

  [Original Report]
  I came across a scenario where the output of `/usr/lib/update-notifier/apt-check --human-readable` is showing some (not all) esm updates as being installable when esm itself is disabled:

  ubuntu@trusty-desktop:~$ sudo /usr/lib/update-notifier/apt-check --human-readable
  UA Infrastructure Extended Security Maintenance (ESM) is not enabled.

  456 updates can be installed immediately.
  10 of these updates are provided through UA Infrastructure ESM.
  378 of these updates are security updates.
  To see these additional updates run: apt list --upgradable

  Enable UA Infrastructure ESM to receive 127 additional security updates.
  See https://ubuntu.com/advantage or run: sudo ua status

  If you look carefully, you will see that it's contradicting itself by saying esm is enabled and disabled at the same time:
  - 10 ESM updates can be installed immediately
  - ESM is disabled, and if you enable ESM you will get 127 additional updates

  I believe this comes from apt_check.py:253:

              # now check for security updates that are masked by a
              # canidate version from another repo (-proposed or -updates)
              for ver in pkg.version_list:
                  if (inst_ver and apt_pkg.version_compare(ver.ver_str, inst_ver.ver_str) <= 0):
                      #print("skipping '%s' " % ver.VerStr)
                      continue
                  if isESMUpgrade(ver):
                      esm_updates += 1
                  if isSecurityUpgrade(ver):
                      security_updates += 1
                      break

  I believe that is ignoring the fact that ESM is disabled. I added a pdb to check which package it was considering as an esm update, and the first response was dbus, which is in this peculiar state in the archive:
  ubuntu@trusty-desktop:~$ apt-cache policy dbus
  dbus:
    Installed: 1.6.18-0ubuntu4.3
    Candidate: 1.6.18-0ubuntu4.5
    Version table:
       1.6.18-0ubuntu4.5+esm1 0
         -32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
       1.6.18-0ubuntu4.5 0
          500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
       1.6.18-0ubuntu4.4 0
          500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
   *** 1.6.18-0ubuntu4.3 0
          100 /var/lib/dpkg/status
       1.6.18-0ubuntu4 0
          500 http://br.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  Maybe we just need to guard that isESMUpgrade(ver) call with "if
  have_esm and isESMUpgrade(ver)"?

  The other place in the code a bit up from the above which also
  increments esm_updates isn't run in this scenario, so the 10 packages
  must come from the check I highlighted above.

  Other info:
  update-notifier 0.154.1ubuntu8 from trusty-updates
  ubuntu-advantage-tools 19.6~ubuntu14.04.4 from trusty-updates
  ua is attached, but esm disabled:
  ubuntu@trusty-desktop:~$ ua status
  SERVICE       ENTITLED  STATUS    DESCRIPTION
  cc-eal        yes       n/a       Common Criteria EAL2 Provisioning Packages
  cis-audit     no        —         Center for Internet Security Audit Tools
  esm-infra     yes       disabled  UA Infra: Extended Security Maintenance
  fips          yes       n/a       NIST-certified FIPS modules
  fips-updates  yes       n/a       Uncertified security updates to FIPS modules
  livepatch     yes       disabled  Canonical Livepatch service

  Enable services with: ua enable <service>

       Account: andreas.hasenack@xxxxxxxxxxxxx
  Subscription: andreas.hasenack@xxxxxxxxxxxxx

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1883315/+subscriptions