[Bug 1881632] Re: esm security updates not reported by apt update-notifier

Andreas Hasenack 1881632 at bugs.launchpad.net
Thu Aug 6 11:48:21 UTC 2020 

This is available in trusty esm now:

  Version table:
     0.154.1ubuntu9 0
        500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages


Closing bug.

** Changed in: update-notifier (Ubuntu Trusty)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/1881632

Title:
  esm security updates not reported by apt update-notifier

Status in update-notifier package in Ubuntu:
  Fix Released
Status in update-notifier source package in Trusty:
  Fix Released

Bug description:
  [Impact]
  ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.

  [Test Case]
  * Launch a trusty lxd. For example:
  lxc launch ubuntu-daily:trusty trusty

  * Update it to the latest publicly available updates:
  sudo apt update && sudo apt dist-upgrade -y

  * Make sure you have the latest ubuntu-advantage-tools:
  sudo apt install ubuntu-advantage-tools

  * Run the script that displays the motd bit about available updates:
  sudo /usr/lib/update-notifier/apt-check --human-readable

  * The output should be something like this, signaling there are only ESM updates available:
  """
  UA Infrastructure Extended Security Maintenance (ESM) is not enabled.

  0 updates can be installed immediately.
  0 of these updates are security updates.

  Enable UA Infrastructure ESM to receive 88 additional security updates.
  See https://ubuntu.com/advantage or run: sudo ua status
  """

  * Obtain an UA token for free at https://ubuntu.com/advantage

  * Run attach:
  sudo ua attach <token-obtained-in-previous-step>

  * Confirm that esm-infra was enabled:
  sudo ua status

  * Run this command again to display the motd banner output about available updates:
  sudo /usr/lib/update-notifier/apt-check --human-readable

  * You should get something like this without the fix for this bug:
  """
  UA Infrastructure Extended Security Maintenance (ESM) is enabled.

  89 updates can be installed immediately.
  89 of these updates are provided through UA Infrastructure ESM.
  0 of these updates are security updates.
  To see these additional updates run: apt list --upgradable
  """

  * In the output above, which is without the fix, note how none of the
  available updates are flagged as security

  * With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
  """
  UA Infrastructure Extended Security Maintenance (ESM) is enabled.

  88 updates can be installed immediately.
  88 of these updates are provided through UA Infrastructure ESM.
  85 of these updates are security updates.
  To see these additional updates run: apt list --upgradable
  """

  [Regression Potential]
  The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.

  [Other Info]
  Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).

  The reasons we didn't do that are:
  - only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
  - there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
  - the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
  """
  On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
  """
  The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.

  
  Finally, this update is for trusty only. Xenial doesn't have ESM yet, and updating update-notifier there would be an useless download for users, with a regression risk for no benefit.

  
  [Original Description]

  ESM-related Security pocket packages are not reported being classified
  as security due to a rename in the backend apt suites from esm-
  security -> esm-infra-security and esm-apps-security.

  The customer issue reported catches the symptom well:

  """

  I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
  mrussell at deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
  UA Infrastructure Extended Security Maintenance (ESM) is enabled.

  8 updates can be installed immediately.
  8 of these updates are provided through UA Infrastructure ESM.
  0 of these updates are security updates.
  To see these additional updates run: apt list --upgradable

  Note, these are the packages:
  mrussell at deputy:~$ apt list --upgradable
  Listing... Done
  apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
  from: 1.0.1ubuntu2.24]
  apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
  apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
  libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
  libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
  libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
  libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]

  If I change "isSecurityUpgrade()" to also include this
  value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
  then, the output is correct:
  mrussell at deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
  UA Infrastructure Extended Security Maintenance (ESM) is enabled.

  8 updates can be installed immediately.
  8 of these updates are provided through UA Infrastructure ESM.
  8 of these updates are security updates.
  To see these additional updates run: apt list --upgradable
  """

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1881632/+subscriptions

More information about the foundations-bugs mailing list