[Bug 1857051] Re: Please add ${distro_id}ESM:${distro_codename}-infra-security and ${distro_id}ESMApps:${distro_codename}-apps-security to allowed origins (on Ubuntu)

[Joshua Powers]

We will not drop the Eoan task as the SRU needs to go back to all
supported versions of the package, whether or not the UA components are
available in that release.

The test for Eoan then is to verify that nothing regressed. Please re-
test that unattended-upgrades continues to function with no new error
messages on Eoan.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/1857051

Title:
  Please add ${distro_id}ESM:${distro_codename}-infra-security  and
  ${distro_id}ESMApps:${distro_codename}-apps-security to allowed
  origins (on Ubuntu)

Status in unattended-upgrades package in Ubuntu:
  Fix Released
Status in unattended-upgrades source package in Trusty:
  New
Status in unattended-upgrades source package in Xenial:
  Fix Committed
Status in unattended-upgrades source package in Bionic:
  Fix Committed
Status in unattended-upgrades source package in Eoan:
  Fix Committed

Bug description:
  [Impact]

   * Changes to the ESM repo naming and the introduction of the new esm-infra and esm-apps suites require an update to unattended-upgrades to ensure the security pockets are used.
   * This change will ensure users are actually receiving updates, where as today they will not without making manual changes.

  [Test Case]

   * 1) Bionic and Xenial ESM-Apps/ESM-infra with Ubuntu Pro
   * 2) Trusty ESM

  [Regression Potential]

   * This change is ensuring users actually receive security updates when using ESM. Therefore, 1) users of ESM-apps on Ubuntu Pro and 2) ESM-infra on Trusty will be the only users affected.
   * The possible issue would be if/when users receive actual security updates that then regress or cause issues to the system.

  [Other Info]
   
  Previous description:

  ESM <distro>-infra-security and <distro>-apps-security will need to
  participate in unattended upgrades.

  Currently /etc/apt/apt.conf.d/50unattended-upgrades provides:
  Unattended-Upgrade::Allowed-Origins {
          "${distro_id}ESM:${distro_codename}";
  }

  Given that there have been ESM apt pocket renames over the last few
  months, the above ESM allowed-origin should not apply anymore and can
  be dropped or replaced.

  See RT #C122697 and #C121067 for the pocket/suite renames related to
  ESM

  What is needed after the ESM apt pocket/suite renames:

  Support for unattended upgrades for ESM for Infrastructure customers:

  Unattended-Upgrade::Allowed-Origins {
    // Extended Security Maintenance; doesn't necessarily exist for
    // every release and this system may not have it installed, but if
    // available, the policy for updates is such that unattended-upgrades
    // should also install from here by default.
    "${distro_id}ESM:${distro_codename}-infra-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
  };

  === Confirmed proper origin on an attached Trusty instance with ESM-
  infra enabled:

   500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
       release v=14.04,o=UbuntuESM,a=trusty-infra-security,n=trusty,l=UbuntuESM,c=main

  === Confirmed proper origins on Bionic for enabled ESM-infra and ESM-apps on an AWS Ubuntu PRO instance:
   500 https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main amd64 Packages
       release v=18.04,o=UbuntuESM,a=bionic-infra-security,n=bionic,l=UbuntuESM,c=main,b=amd64

   500 https://esm.ubuntu.com/apps/ubuntu bionic-apps-security/main amd64 Packages
       release v=18.04,o=UbuntuESMApps,a=bionic-apps-security,n=bionic,l=UbuntuESMApps,c=main,b=amd64

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1857051/+subscriptions