Downgrading packages after removing a repository
Andrew Sayers
andrew-ubuntu-devel at pileofstuff.org
Sat Aug 1 18:49:33 UTC 2009
I've found a bug (or maybe it's a feature request) in apt (or maybe it's
in software-properties-gtk). I'd like to get people's opinions about
where this is best reported, and what the report should say.
When you add a repository to your computer, then remove that repository,
it's not obvious how to downgrade packages that are no longer available.
Normally this is a minor irritant, but it can be a security issue, or
can even make recovery very hard indeed. Here are three user stories to
illustrate the issue:
Anna added a PPA through Synaptic > Settings > Repositories, which
upgraded emacs. She didn't like the upgraded version, so she removed
the repository. She scrambled around for a while, before realising she
could get her old emacs back by removing it then reinstalling.
Tim added a repository from a random website through System > Admin >
Software Sources, then updated and was notified that a new version of
debconf was available. He installed the upgrade, then realised that the
upgrade had been downloaded from the new repository. Realising he'd
been tricked, he removed the new repository and assumed that debconf had
been uninstalled as well.
Bob, thinking that a Debian-based distribution should be okay with
Debian packages, followed command-line instructions to create
/etc/apt/sources.list.d/debian-unstable. Once his Ubuntu/Debian hybrid
was installed, he rang his technical friend to clear up the mess. The
friend tried every "apt-get" command he knew, before gradually realising
that he had to run "apt-cache showpkg <name>", find the package version,
do "apt-get install <name>=<ubuntu version>", and repeat many, many times.
Ideally, I would like well-advertised command-line and GUI options that
can downgrade packages to the latest downloadable version. Something
like this for example:
1) Add a "--ignore-status" option to apt-get, which forces it to ignore
package versions listed in /var/lib/dpkg/status. This would let "sudo
apt-get --ignore-status install ubuntu-desktop" clear up most any problem.
2) When "apt-get update" deletes a file in /var/lib/apt/lists/, print a
warning for every installed package that's just become non-downloadable,
something like "the latest version of <package> is no longer
downloadable. You may want to run `apt-get --ignore-status install
<package>`"
3) Provide similar functionality to (1) and (2) through synaptic
4) Provide similar functionality through AppCenter
Would you find this too intrusive? Not intrusive enough? Should I
forget about Synaptic now that AppCenter is coming along, or should I
focus on getting functionality into APT that can later be made available
through the GUI?
- Andrew
More information about the Ubuntu-devel-discuss
mailing list