[Bug 1883315] Re: Showing esm update as installable when esm is disabled

Bryce Harrington 1883315 at bugs.launchpad.net
Mon Apr 26 21:33:46 UTC 2021 

** Changed in: update-notifier (Ubuntu Bionic)
     Assignee: (unassigned) => Lucas Albuquerque Medeiros de Moura (lamoura)

** Changed in: update-notifier (Ubuntu Focal)
     Assignee: (unassigned) => Lucas Albuquerque Medeiros de Moura (lamoura)

** Changed in: update-notifier (Ubuntu Hirsute)
     Assignee: (unassigned) => Chad Smith (chad.smith)

** Changed in: update-notifier (Ubuntu Impish)
     Assignee: (unassigned) => Chad Smith (chad.smith)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/1883315

Title:
  Showing esm update as installable when esm is disabled

Status in update-notifier package in Ubuntu:
  New
Status in update-notifier source package in Xenial:
  In Progress
Status in update-notifier source package in Bionic:
  New
Status in update-notifier source package in Focal:
  New
Status in update-notifier source package in Groovy:
  New
Status in update-notifier source package in Hirsute:
  New
Status in update-notifier source package in Impish:
  New

Bug description:
  I came across a scenario where the output of `/usr/lib/update-notifier
  /apt-check --human-readable` is showing some (not all) esm updates as
  being installable when esm itself is disabled:

  ubuntu at trusty-desktop:~$ sudo /usr/lib/update-notifier/apt-check --human-readable
  UA Infrastructure Extended Security Maintenance (ESM) is not enabled.

  456 updates can be installed immediately.
  10 of these updates are provided through UA Infrastructure ESM.
  378 of these updates are security updates.
  To see these additional updates run: apt list --upgradable

  Enable UA Infrastructure ESM to receive 127 additional security updates.
  See https://ubuntu.com/advantage or run: sudo ua status

  
  If you look carefully, you will see that it's contradicting itself by saying esm is enabled and disabled at the same time:
  - 10 ESM updates can be installed immediately
  - ESM is disabled, and if you enable ESM you will get 127 additional updates

  I believe this comes from apt_check.py:253:

              # now check for security updates that are masked by a 
              # canidate version from another repo (-proposed or -updates)
              for ver in pkg.version_list:
                  if (inst_ver and apt_pkg.version_compare(ver.ver_str, inst_ver.ver_str) <= 0):
                      #print("skipping '%s' " % ver.VerStr)
                      continue
                  if isESMUpgrade(ver):
                      esm_updates += 1
                  if isSecurityUpgrade(ver):
                      security_updates += 1
                      break

  I believe that is ignoring the fact that ESM is disabled. I added a pdb to check which package it was considering as an esm update, and the first response was dbus, which is in this peculiar state in the archive:
  ubuntu at trusty-desktop:~$ apt-cache policy dbus
  dbus:
    Installed: 1.6.18-0ubuntu4.3
    Candidate: 1.6.18-0ubuntu4.5
    Version table:
       1.6.18-0ubuntu4.5+esm1 0
         -32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
       1.6.18-0ubuntu4.5 0
          500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
       1.6.18-0ubuntu4.4 0
          500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
   *** 1.6.18-0ubuntu4.3 0
          100 /var/lib/dpkg/status
       1.6.18-0ubuntu4 0
          500 http://br.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  Maybe we just need to guard that isESMUpgrade(ver) call with "if
  have_esm and isESMUpgrade(ver)"?

  The other place in the code a bit up from the above which also
  increments esm_updates isn't run in this scenario, so the 10 packages
  must come from the check I highlighted above.

  
  Other info:
  update-notifier 0.154.1ubuntu8 from trusty-updates
  ubuntu-advantage-tools 19.6~ubuntu14.04.4 from trusty-updates
  ua is attached, but esm disabled:
  ubuntu at trusty-desktop:~$ ua status
  SERVICE       ENTITLED  STATUS    DESCRIPTION
  cc-eal        yes       n/a       Common Criteria EAL2 Provisioning Packages
  cis-audit     no        —         Center for Internet Security Audit Tools
  esm-infra     yes       disabled  UA Infra: Extended Security Maintenance
  fips          yes       n/a       NIST-certified FIPS modules
  fips-updates  yes       n/a       Uncertified security updates to FIPS modules
  livepatch     yes       disabled  Canonical Livepatch service

  Enable services with: ua enable <service>

       Account: andreas.hasenack at canonical.com
  Subscription: andreas.hasenack at canonical.com

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1883315/+subscriptions

More information about the foundations-bugs mailing list