[Bug 1823070] Re: unattended-upgrades should tell the user (via motd) when security updates are held back

Balint Reczey balint.reczey at canonical.com
Fri Nov 1 17:21:59 UTC 2019 

root at uu-sru-dd:~# unattended-upgrade --verbose
Initial blacklist : 
Initial whitelist: 
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=disco, o=Ubuntu,a=disco-security, o=UbuntuESM,a=disco
Packages that will be upgraded: file libidn2-0 libmagic-mgc libmagic1 libxslt1.1 python3-apport python3-problem-report
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
(Reading database ... 28941 files and directories currently installed.)
Preparing to unpack .../libidn2-0_2.0.5-1ubuntu0.3_amd64.deb ...
Unpacking libidn2-0:amd64 (2.0.5-1ubuntu0.3) over (2.0.5-1) ...
Setting up libidn2-0:amd64 (2.0.5-1ubuntu0.3) ...
Processing triggers for libc-bin (2.29-0ubuntu2) ...
Log ended: 2019-11-01  17:08:54

Log started: 2019-11-01  17:08:55
(Reading database ... 28941 files and directories currently installed.)
Preparing to unpack .../file_1%3a5.35-4ubuntu0.1_amd64.deb ...
Unpacking file (1:5.35-4ubuntu0.1) over (1:5.35-4) ...
Preparing to unpack .../libmagic1_1%3a5.35-4ubuntu0.1_amd64.deb ...
Unpacking libmagic1:amd64 (1:5.35-4ubuntu0.1) over (1:5.35-4) ...
Preparing to unpack .../libmagic-mgc_1%3a5.35-4ubuntu0.1_amd64.deb ...
Unpacking libmagic-mgc (1:5.35-4ubuntu0.1) over (1:5.35-4) ...
Setting up libmagic-mgc (1:5.35-4ubuntu0.1) ...
Setting up libmagic1:amd64 (1:5.35-4ubuntu0.1) ...
Setting up file (1:5.35-4ubuntu0.1) ...
Processing triggers for libc-bin (2.29-0ubuntu2) ...
Processing triggers for man-db (2.8.5-2) ...
Log ended: 2019-11-01  17:08:59

Log started: 2019-11-01  17:09:00
(Reading database ... 28941 files and directories currently installed.)
Preparing to unpack .../python3-apport_2.20.10-0ubuntu27.2_all.deb ...
Unpacking python3-apport (2.20.10-0ubuntu27.2) over (2.20.10-0ubuntu27.1) ...
Setting up python3-apport (2.20.10-0ubuntu27.2) ...
Log ended: 2019-11-01  17:09:04

Log started: 2019-11-01  17:09:04
(Reading database ... 28941 files and directories currently installed.)
Preparing to unpack .../python3-problem-report_2.20.10-0ubuntu27.2_all.deb ...
Unpacking python3-problem-report (2.20.10-0ubuntu27.2) over (2.20.10-0ubuntu27.1) ...
Setting up python3-problem-report (2.20.10-0ubuntu27.2) ...
Log ended: 2019-11-01  17:09:07

Log started: 2019-11-01  17:09:08
(Reading database ... 28941 files and directories currently installed.)
Preparing to unpack .../libxslt1.1_1.1.32-2ubuntu0.2_amd64.deb ...
Unpacking libxslt1.1:amd64 (1.1.32-2ubuntu0.2) over (1.1.32-2ubuntu0.1) ...
Setting up libxslt1.1:amd64 (1.1.32-2ubuntu0.2) ...
Processing triggers for libc-bin (2.29-0ubuntu2) ...
All upgrades installed
root at uu-sru-dd:~# update-motd
Welcome to Ubuntu 19.04 (GNU/Linux 5.0.0-32-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Nov  1 17:09:55 UTC 2019

  System load:    1.99      Processes:           26
  Usage of /home: unknown   Users logged in:     0
  Memory usage:   0%        IP address for eth0: 10.84.73.43
  Swap usage:     49%

0 updates can be installed immediately.
0 of these updates are security updates.


1 updates could not be installed automatically. For more details,
see /var/log/unattended-upgrades/unattended-upgrades.log

root at uu-sru-dd:~# dpkg -l unattended-upgrades | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                Version       Architecture Description
+++-===================-=============-============-===========================================
ii  unattended-upgrades 1.10ubuntu5.2 all          automatic installation of security upgrades


** Tags removed: verification-needed-disco
** Tags added: verification-done-disco

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/1823070

Title:
  unattended-upgrades should tell the user (via motd) when security
  updates are held back

Status in unattended-upgrades package in Ubuntu:
  Fix Released
Status in unattended-upgrades source package in Xenial:
  Fix Committed
Status in unattended-upgrades source package in Bionic:
  Fix Committed
Status in unattended-upgrades source package in Disco:
  Fix Committed

Bug description:
  [Impact]

   * MOTD does not go into details about upgradable packages being security fixes or just normal updates.
   * Users should be made aware if some of the security updates could not have been applied.
   * The fix is adding a snipped to MOTD where the number of packages kept back by unattended-upgrades is shown.

  [Test Case]

   * The debian/tests/upgrade-all-security is extended to check if the number of kept back packages are shown in MOTD and a new test is added (test/test_motd.py) to check if the list of kept back packages are saved properly.
   * To test the fix manually:
     1. Mark a package upgradable from the -security pocket as held, then run unattended-upgrades.
     2. Observe MOTD messate showing the number of packages being kept back.

  [Regression Potential]

   * Unattended-upgrades may crash when saving kept packages and always
  return with failure. MOTD may hang or print error while printing the
  packages kept back by u-u.

   * It is not a regression, but the log referenced in MOTD does not
  always contain explanation why each package was kept back, unless
  debugging is enabled. One case where packages are not mentioned in the
  log is when the packages are held using 'apt-mark hold' command.

  [Original Bug Text]

  Currently we have the following pieces as part of the default UX on
  Ubuntu 18.04 and later:

   1) unattended-upgrades automatically installs security updates daily by default
   2) the motd reports the number of available updates, including security updates.

  A user who knows about 1) also knows that a non-zero number of pending
  security updates listed in 2) is nothing to worry about.

  However, unattended-upgrades will also cleverly detect when a security
  update cannot safely be installed non-interactively due to conffile
  changes on the system.

  In this case, unattended-upgrades should also inform the user via the
  motd that these updates are not being installed.  Otherwise, there's
  nothing to tell the user that the non-zero count of available security
  updates in motd is a *problem*.

  Suggested wording:

   N security updates will not be automatically installed due to local changes.
   See /var/log/foo for details.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1823070/+subscriptions

More information about the foundations-bugs mailing list