[Bug 1687129] Re: Needs to allow updates from the ESM archive

Steve Langasek steve.langasek at canonical.com
Wed May 3 17:43:29 UTC 2017 

My output with precise-updates:
$ sudo unattended-upgrades --debug --dry-run
Initial blacklisted packages: 
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=precise-security']
Checking: unattended-upgrades (["<Origin component:'main' archive:'' origin:'' label:'precise archive' site:'esm.ubuntu.com' isTrusted:True>"])
pkgs that look like they should be upgraded: 
Fetched 0 B in 0s (0 B/s)                                                      
blacklist: []
InstCount=0 DelCount=0 BrokenCout=0
No packages found that can be upgraded unattended and no pending auto-removals
$

My output with precise-proposed:
$ sudo unattended-upgrades --debug --dry-runInitial blacklisted packages: 
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=precise-security', 'o=UbuntuESM,a=precise']
Checking: unattended-upgrades (["<Origin component:'main' archive:'' origin:'' label:'precise archive' site:'esm.ubuntu.com' isTrusted:True>"])
pkgs that look like they should be upgraded: 
Fetched 0 B in 0s (0 B/s)                                                      
blacklist: []
InstCount=0 DelCount=0 BrokenCout=0
No packages found that can be upgraded unattended and no pending auto-removals
$

So it's not being installed.  It doesn't look like the publication
changes are live on esm.u.c.

** Description changed:

- [Impact]
- ESM users relying on unattended upgrades.
+ [SRU Justification]
+ When the dust has settled on the ESM archive Release file format[1], unattended-upgrades needs to be tweaked to match.
  
- [Test cases]
- This requires a system installed with Ubuntu 12.04 and Ubuntu Advantage credentials.
+ [1] https://github.com/CanonicalLtd/archive-auth-mirror/issues/43
  
- 1) install ubuntu-advantage-tools and unattended upgrades
- 2) run 'sudo ubuntu-advantage enable-esm'; supply credentials for Ubuntu Advantage
- 3) run 'sudo apt-get update'
- 4) fake up the contents of /var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages to list a newer version of unattended-upgrades
- 5) run 'sudo unattended-upgrades --debug --apt-debug'
+ Since the ESM archive contains packages updated by the Ubuntu Security
+ team, we should ensure the behavior of unattended-upgrades applies the
+ same default policy to both.
+ 
+ [Test case]
+ 1. run 'sudo apt-get install ubuntu-advantage-tools unattended-upgrades'
+ 2. run 'sudo ubuntu-advantage enable-esm <creds>' with your private creds to enable the ESM archive
+ 3. run 'sudo apt-get update'
+ 4. create a faked-up entry in /var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages for the unattended-upgrades package with a higher version number
+ 5. run 'sudo unattended-upgrades --debug --apt-debug' and verify that no unattended-upgrades package is installed.
+ 6. install unattended-upgrades from -proposed.
+ 7. again create a faked-up entry in /var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages for the unattended-upgrades package with a higher version number
+ 8. run 'sudo unattended-upgrades --debug --aptdebug' and verify that it tries to install a new unattended-upgrades package (though this will fail).
  
  [Regression potential]
  
- 
  ---
- 
- When the dust has settled on the ESM archive Release file format[1],
- unattended-upgrades needs to be tweaked to match.
- 
- [1] https://github.com/CanonicalLtd/archive-auth-mirror/issues/43

** Description changed:

  [SRU Justification]
  When the dust has settled on the ESM archive Release file format[1], unattended-upgrades needs to be tweaked to match.
  
  [1] https://github.com/CanonicalLtd/archive-auth-mirror/issues/43
  
  Since the ESM archive contains packages updated by the Ubuntu Security
  team, we should ensure the behavior of unattended-upgrades applies the
  same default policy to both.
  
  [Test case]
  1. run 'sudo apt-get install ubuntu-advantage-tools unattended-upgrades'
  2. run 'sudo ubuntu-advantage enable-esm <creds>' with your private creds to enable the ESM archive
  3. run 'sudo apt-get update'
  4. create a faked-up entry in /var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages for the unattended-upgrades package with a higher version number
- 5. run 'sudo unattended-upgrades --debug --apt-debug' and verify that no unattended-upgrades package is installed.
+ 5. run 'sudo unattended-upgrades --debug --dry-run' and verify that no unattended-upgrades package is installed.
  6. install unattended-upgrades from -proposed.
  7. again create a faked-up entry in /var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages for the unattended-upgrades package with a higher version number
- 8. run 'sudo unattended-upgrades --debug --aptdebug' and verify that it tries to install a new unattended-upgrades package (though this will fail).
+ 8. run 'sudo unattended-upgrades --debug --dry-run' and verify that it offers to install a new unattended-upgrades package.
  
  [Regression potential]
- 
- ---
+ Worst-case scenario is a bug that prevents future security updates from being applied correctly.  This is not a concern for precise because there will be no further security updates /except/ those enabled by this SRU, but this SRU should also be included in all later stable releases.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/1687129

Title:
  Needs to allow updates from the ESM archive

Status in unattended-upgrades package in Ubuntu:
  Confirmed
Status in unattended-upgrades source package in Precise:
  Fix Committed

Bug description:
  [SRU Justification]
  When the dust has settled on the ESM archive Release file format[1], unattended-upgrades needs to be tweaked to match.

  [1] https://github.com/CanonicalLtd/archive-auth-mirror/issues/43

  Since the ESM archive contains packages updated by the Ubuntu Security
  team, we should ensure the behavior of unattended-upgrades applies the
  same default policy to both.

  [Test case]
  1. run 'sudo apt-get install ubuntu-advantage-tools unattended-upgrades'
  2. run 'sudo ubuntu-advantage enable-esm <creds>' with your private creds to enable the ESM archive
  3. run 'sudo apt-get update'
  4. create a faked-up entry in /var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages for the unattended-upgrades package with a higher version number
  5. run 'sudo unattended-upgrades --debug --dry-run' and verify that no unattended-upgrades package is installed.
  6. install unattended-upgrades from -proposed.
  7. again create a faked-up entry in /var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages for the unattended-upgrades package with a higher version number
  8. run 'sudo unattended-upgrades --debug --dry-run' and verify that it offers to install a new unattended-upgrades package.

  [Regression potential]
  Worst-case scenario is a bug that prevents future security updates from being applied correctly.  This is not a concern for precise because there will be no further security updates /except/ those enabled by this SRU, but this SRU should also be included in all later stable releases.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1687129/+subscriptions

More information about the foundations-bugs mailing list