[Bug 2033646] Re: unattended-upgrade ignores apt-pinning to not-allowed origins
Julian Andres Klode
2033646 at bugs.launchpad.net
Tue Jul 23 12:44:37 UTC 2024
As explained before, the behavior here is intended and not a bug.
@Jan You are free to configure unattended-upgrades to install from the
PPA or add negative pins for the Ubuntu (and UbuntuESM archives, if
enabled) for src:firefox to prevent the snap from being installed.
@Piotr I will not correspond to the complete message but
> (workaround = pinning Ubuntu repository to 1/-1 for all external packages)
> Wrong.
> You may add the entire Debian repository (which will be not-allowed-origin),
> and now you have to pin every package (and dependency!) installed from Debian *by name*
> in order for "unattended-upgrades" not to mess with them.
>This "solution" would be ridiculous.
I stand by what I said. If you don't want firefox from the official
repository, pin it down. You'll want
Package: src:firefox
Pin: release o=Ubuntu
Pin-Priority: -1
Package: src:firefox
Pin: release o=UbuntuESM
Pin-Priority: -1
Of course if you install multiple packages like that you need to list
them all in the package line.
This is noticably different from pinning up the PPA and again there is
no easy way out here, the behaviour as is is what is generally needed.
Adding the Debian repository is *NOT* supported.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/2033646
Title:
unattended-upgrade ignores apt-pinning to not-allowed origins
Status in unattended-upgrades package in Ubuntu:
Won't Fix
Bug description:
unattended-upgrade ignores apt-pinning to not-allowed origins
=============================================================
BUG:
unattended-upgrade notices an upgrade available in NOT-ALLOWED ORIGINS,
but then completely ignores those repositories
even if they contain apt-pinned versions
that are more favorable than versions from allowed origins.
The situation repeats every time there is an upgrade available in an
external PPA.
SOLUTION:
unattended-upgrade should not ignore NOT ALLOWED ORIGINS,
but check them for providing more favorable version
and in such case restrain from doing ANY upgrades for such packages.
Instructions for ubuntu lunar 23.04:
------------------------------------
0. Upgrade all packages, uninstall Firefox:
$ sudo apt update
$ sudo apt upgrade
$ sudo snap remove firefox
$ sudo apt remove firefox
$ apt-cache policy firefox
firefox:
Installed: (none)
Candidate: 1:1snap1-0ubuntu3
Version table:
1:1snap1-0ubuntu3 500
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
1. Add mozilla-team Firefox PPA and apt-pin it with priority 1001:
$ echo 'deb
https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu lunar main' |
sudo tee /etc/apt/sources.list.d/firefox.list
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys
9BDB3D89CE49EC21
$ echo -e 'Package: *\nPin: release o=LP-PPA-mozillateam\nPin-
Priority: 1001' | sudo tee /etc/apt/preferences.d/firefox
$ sudo apt update
$ apt-cache policy firefox
firefox:
Installed: (none)
Candidate: 117.0+build2-0ubuntu0.23.04.1~mt1
Version table:
1:1snap1-0ubuntu3 500
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
117.0+build2-0ubuntu0.23.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu lunar/main arm64 Packages
2. Install Firefox (from mozilla-team Firefox PPA, as pinned):
$ sudo apt install firefox
$ apt-cache policy firefox
firefox:
Installed: 117.0+build2-0ubuntu0.23.04.1~mt1
Candidate: 117.0+build2-0ubuntu0.23.04.1~mt1
Version table:
1:1snap1-0ubuntu3 500
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
*** 117.0+build2-0ubuntu0.23.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu lunar/main arm64 Packages
100 /var/lib/dpkg/status
3. SIMULATE AVAILABLE UPGRADE by downgrading Firefox from Mozilla-
Team's version for Ubuntu 23.04 to 22.04:
Download .deb. file from Mozilla-Team's PPA:
$ wget $(apt-get download --print-uris firefox | cut -d' ' -f1 |
tr -d "'" | sed -E 's/0ubuntu0\.[0-9]+\.[0-9]+\./0ubuntu0.22.04./')
Install it:
$ sudo dpkg -i firefox_*.22.04.*.deb
dpkg: warning: downgrading firefox from 117.0+build2-0ubuntu0.23.04.1~mt1 to 117.0+build2-0ubuntu0.22.04.1~mt1
(Reading database ... 295244 files and directories currently installed.)
Preparing to unpack firefox_117.0+build2-0ubuntu0.22.04.1~mt1_arm64.deb ...
Unpacking firefox (117.0+build2-0ubuntu0.22.04.1~mt1) over (117.0+build2-0ubuntu0.23.04.1~mt1) ...
Setting up firefox (117.0+build2-0ubuntu0.22.04.1~mt1) ...
Please restart all running instances of firefox, or you will experience problems.
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for man-db (2.11.2-1) ...
$ apt-cache policy firefox
firefox:
Installed: 117.0+build2-0ubuntu0.22.04.1~mt1
Candidate: 117.0+build2-0ubuntu0.23.04.1~mt1
Version table:
1:1snap1-0ubuntu3 500
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
117.0+build2-0ubuntu0.23.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu lunar/main arm64 Packages
*** 117.0+build2-0ubuntu0.22.04.1~mt1 100
100 /var/lib/dpkg/status
4. Bug in unattended-upgrade:
Firefox is now at priority 100 ("now").
Firefox snap package is at priority 500.
Mozilla-Team PPA has priority 1001, BUT IS NOT IN UNATTENDED-UPGRADE'S "ALLOWED ORIGINS".
BUG: unattended-upgrade upgrades Firefox package to 1:1snap1-0ubuntu3:
$ sudo unattended-upgrade -v
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=lunar, o=Ubuntu,a=lunar-security, o=UbuntuESMApps,a=lunar-apps-security, o=UbuntuESM,a=lunar-infra-security
Initial blacklist:
Initial whitelist (not strict):
Packages that will be upgraded: firefox
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
Preconfiguring packages ...
Preconfiguring packages ...
(Reading database ... 295244 files and directories currently installed.)
Preparing to unpack .../firefox_1%3a1snap1-0ubuntu3_arm64.deb ...
=> Installing the firefox snap
==> Checking connectivity with the snap store
==> Installing the firefox snap
=> Snap installation complete
Unpacking firefox (1:1snap1-0ubuntu3) over (117.0+build2-0ubuntu0.22.04.1~mt1) ...
dpkg: warning: unable to delete old directory '/etc/firefox': Directory not empty
dpkg: warning: unable to delete old directory '/etc/apport/blacklist.d': Directory not empty
Setting up firefox (1:1snap1-0ubuntu3) ...
Removing obsolete conffile /etc/firefox/syspref.js ...
Processing triggers for man-db (2.11.2-1) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
All upgrades installed
5. However apt will now (properly) want to downgrade Firefox to the
version from PPA:
$ sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# You can verify the status of security fixes using the `pro fix` command.
# E.g., a recent Ruby vulnerability can be checked with: `pro fix USN-6219-1`
# For more detail see: https://ubuntu.com/security/notices/USN-6219-1
#
The following packages will be DOWNGRADED:
firefox
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Need to get 59.3 MB of archives.
After this operation, 216 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu lunar/main arm64 firefox arm64 117.0+build2-0ubuntu0.23.04.1~mt1 [59.3 MB]
Fetched 59.3 MB in 1s (45.4 MB/s)
dpkg: warning: downgrading firefox from 1:1snap1-0ubuntu3 to 117.0+build2-0ubuntu0.23.04.1~mt1
(Reading database ... 295166 files and directories currently installed.)
Preparing to unpack .../firefox_117.0+build2-0ubuntu0.23.04.1~mt1_arm64.deb ...
Unpacking firefox (117.0+build2-0ubuntu0.23.04.1~mt1) over (1:1snap1-0ubuntu3) ...
Setting up firefox (117.0+build2-0ubuntu0.23.04.1~mt1) ...
Please restart all running instances of firefox, or you will experience problems.
Processing triggers for man-db (2.11.2-1) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
The situation repeats every time there is an upgrade available in an
external PPA.
6. Conclusion:
unattended-upgrade should not ignore NOT ALLOWED ORIGINS,
but check them for providing more favorable version
and in such case restrain from doing ANY upgrades for such packages.
WORKAROUND
----------
A. Go back to mozilla-team's 22.04 deb:
$ sudo dpkg -i firefox_*.22.04.*.deb
$ sudo snap remove firefox
B. Pin Ubuntu's official version to 1:
$ echo -e 'Package: firefox\nPin: release o=Ubuntu\nPin-Priority:
1' | sudo tee /etc/apt/preferences.d/firefox-workaround
$ apt-cache policy firefox
firefox:
Installed: 117.0+build2-0ubuntu0.22.04.1~mt1
Candidate: 117.0+build2-0ubuntu0.23.04.1~mt1
Version table:
1:1snap1-0ubuntu3 1
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
117.0+build2-0ubuntu0.23.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu lunar/main arm64 Packages
*** 117.0+build2-0ubuntu0.22.04.1~mt1 100
100 /var/lib/dpkg/status
C. Priority 1 < 100, so Firefox will NOT be upgraded to
1:1snap1-0ubuntu3
$ sudo unattended-upgrade -v
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=lunar, o=Ubuntu,a=lunar-security, o=UbuntuESMApps,a=lunar-apps-security, o=UbuntuESM,a=lunar-infra-security
Initial blacklist:
Initial whitelist (not strict):
MarkUpgrade() called on a non-upgradeable pkg: 'firefox'
No packages found that can be upgraded unattended and no pending auto-removals
D. apt will upgrade Firefox to the latest Mozilla-Team version:
$ sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# You can verify the status of security fixes using the `pro fix` command.
# E.g., a recent Ruby vulnerability can be checked with: `pro fix USN-6219-1`
# For more detail see: https://ubuntu.com/security/notices/USN-6219-1
#
The following packages will be upgraded:
firefox
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 59.3 MB of archives.
After this operation, 751 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu lunar/main arm64 firefox arm64 117.0+build2-0ubuntu0.23.04.1~mt1 [59.3 MB]
Fetched 5171 kB in 0s (14.0 MB/s)
(Reading database ... 295244 files and directories currently installed.)
Preparing to unpack .../firefox_117.0+build2-0ubuntu0.23.04.1~mt1_arm64.deb ...
Unpacking firefox (117.0+build2-0ubuntu0.23.04.1~mt1) over (117.0+build2-0ubuntu0.22.04.1~mt1) ...
Setting up firefox (117.0+build2-0ubuntu0.23.04.1~mt1) ...
Please restart all running instances of firefox, or you will experience problems.
Processing triggers for man-db (2.11.2-1) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/2033646/+subscriptions
More information about the foundations-bugs
mailing list