[Bug 1881632] Re: esm security updates not reported by apt update-notifier
Andreas Hasenack
1881632 at bugs.launchpad.net
Mon Jun 22 17:58:25 UTC 2020
** Description changed:
- [Impact]
+ [Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
-
[Test Case]
* Launch a trusty lxd. For example:
lxc launch ubuntu-daily:trusty trusty
-
* Update it to the latest publicly available updates:
sudo apt update && sudo apt dist-upgrade -y
-
* Make sure you have the latest ubuntu-advantage-tools:
sudo apt install ubuntu-advantage-tools
-
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
-
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
-
* Obtain an UA token for free at https://ubuntu.com/advantage
-
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
-
* Confirm that esm-infra was enabled:
sudo ua status
-
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
-
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the
available updates are flagged as security
-
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
+ [Regression Potential]
+ The fix is replacing the old incorrect name of the ESM security pocket, so it is already not working. It's also adding a new source of security updates though, UbuntuESMApps, but it doesn't exist for Trusty at the moment, so shouldn't be harmful.
+ The check for file origin was done comparing to a string, now it's checking for the contents of a tuple, something very common in python.
+ If there are regressions here, like these changes introducing a backtrace, the impact is that the MOTD message about available updates would not display, or be incorrect.
- [Regression Potential]
-
- * discussion of how regressions are most likely to manifest as a result
- of this change.
-
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
-
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
[Other Info]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
- * and address these questions in advance
+ There is no test case for the UbuntuESMApps addition, because it's not available for trusty at the moment. One could argue then that it shouldn't be part of the SRU, and that's true. I'll leave it to the SRU team to balance pros and cons, i.e., risk of an unnecessary regression for a feature that doesn't exist.
[Original Description]
ESM-related Security pocket packages are not reported being classified
as security due to a rename in the backend apt suites from esm-security
-> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell at deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell at deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell at deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/1881632
Title:
esm security updates not reported by apt update-notifier
Status in update-notifier package in Ubuntu:
Fix Released
Bug description:
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty lxd. For example:
lxc launch ubuntu-daily:trusty trusty
* Update it to the latest publicly available updates:
sudo apt update && sudo apt dist-upgrade -y
* Make sure you have the latest ubuntu-advantage-tools:
sudo apt install ubuntu-advantage-tools
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the
available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
[Regression Potential]
The fix is replacing the old incorrect name of the ESM security pocket, so it is already not working. It's also adding a new source of security updates though, UbuntuESMApps, but it doesn't exist for Trusty at the moment, so shouldn't be harmful.
The check for file origin was done comparing to a string, now it's checking for the contents of a tuple, something very common in python.
If there are regressions here, like these changes introducing a backtrace, the impact is that the MOTD message about available updates would not display, or be incorrect.
[Other Info]
There is no test case for the UbuntuESMApps addition, because it's not available for trusty at the moment. One could argue then that it shouldn't be part of the SRU, and that's true. I'll leave it to the SRU team to balance pros and cons, i.e., risk of an unnecessary regression for a feature that doesn't exist.
[Original Description]
ESM-related Security pocket packages are not reported being classified
as security due to a rename in the backend apt suites from esm-
security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell at deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell at deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell at deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1881632/+subscriptions
More information about the foundations-bugs
mailing list