[Bug 1538299] [NEW] Unauthenticated packages check seems odd
Brian Murray
brian at ubuntu.com
Tue Jan 26 21:29:16 UTC 2016
Public bug reported:
The upgrade path from 14.04 to 15.04 was broken as documented in bug
1534374 (due to an SRU of gcc in Trusty that created a greater version
than the one in Vivid), however some systems received the following
message in /var/log/dist-upgrade/main.log:
2016-01-26 12:41:55,222 DEBUG Marking 'ubuntu-desktop' for upgrade
2016-01-26 12:41:55,674 WARNING Can't mark 'ubuntu-desktop' for upgrade (E:Unable to correct problems, you have held broken packages.)
2016-01-26 12:41:55,859 ERROR Unauthenticated packages found: 'gettext libatomic1 libfftw3-single3 libgomp1 libitm1 libquadmath0 libstdc++6 libtsan0 onboard'
Digging into the release upgrade code in DistUpgradeCache.py we can see
the following:
674 # check the trust of the packages that are going to change
675 untrusted = []
676 for pkg in self.get_changes():
677 if pkg.marked_delete:
678 continue
679 # special case because of a bug in pkg.candidate.origins
680 if pkg.marked_downgrade:
682 for ver in pkg._pkg.version_list:
683 # version is lower than installed one
684 if apt_pkg.version_compare(
685 ver.ver_str, pkg.installed.version) < 0:
686 for (verFileIter, index) in ver.file_list:
687 indexfile = pkg._pcache._list.find_index(verFileIter)
688 if indexfile and not indexfile.is_trusted:
689 untrusted.append(pkg.name)
690 break
691 continue
It seems odd to me that we only check if packages are trusted when
downgrading them and that we don't log that the packages are being
downgraded. Examples of this issue can be found in bug 1535407 and bug
1531333. Additionally, its strange that the packages (from the official
archive) would be considered untrusted.
** Affects: ubuntu-release-upgrader (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/1538299
Title:
Unauthenticated packages check seems odd
Status in ubuntu-release-upgrader package in Ubuntu:
New
Bug description:
The upgrade path from 14.04 to 15.04 was broken as documented in bug
1534374 (due to an SRU of gcc in Trusty that created a greater version
than the one in Vivid), however some systems received the following
message in /var/log/dist-upgrade/main.log:
2016-01-26 12:41:55,222 DEBUG Marking 'ubuntu-desktop' for upgrade
2016-01-26 12:41:55,674 WARNING Can't mark 'ubuntu-desktop' for upgrade (E:Unable to correct problems, you have held broken packages.)
2016-01-26 12:41:55,859 ERROR Unauthenticated packages found: 'gettext libatomic1 libfftw3-single3 libgomp1 libitm1 libquadmath0 libstdc++6 libtsan0 onboard'
Digging into the release upgrade code in DistUpgradeCache.py we can
see the following:
674 # check the trust of the packages that are going to change
675 untrusted = []
676 for pkg in self.get_changes():
677 if pkg.marked_delete:
678 continue
679 # special case because of a bug in pkg.candidate.origins
680 if pkg.marked_downgrade:
682 for ver in pkg._pkg.version_list:
683 # version is lower than installed one
684 if apt_pkg.version_compare(
685 ver.ver_str, pkg.installed.version) < 0:
686 for (verFileIter, index) in ver.file_list:
687 indexfile = pkg._pcache._list.find_index(verFileIter)
688 if indexfile and not indexfile.is_trusted:
689 untrusted.append(pkg.name)
690 break
691 continue
It seems odd to me that we only check if packages are trusted when
downgrading them and that we don't log that the packages are being
downgraded. Examples of this issue can be found in bug 1535407 and
bug 1531333. Additionally, its strange that the packages (from the
official archive) would be considered untrusted.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1538299/+subscriptions
More information about the foundations-bugs
mailing list