Software updater snuck in a package that is unwanted

Bret Busby bret.busby at gmail.com
Tue Oct 17 20:02:12 UTC 2017 

On 18/10/2017, Tom H <tomh0665 at gmail.com> wrote:
> On Tue, Oct 17, 2017 at 12:54 PM, Bret Busby <bret at busby.net> wrote:
>>
>> :~$ sudo apt-get purge unattended-upgrades
>> [sudo] password for bret:
>> Reading package lists... Done
>> Building dependency tree
>> Reading state information... Done
>> The following packages were automatically installed and are no longer
>> required:
>> libllvm3.8:i386 libllvm3.8 libudev1:i386 linux-headers-4.4.0-36
>> linux-headers-4.4.0-36-generic
>> linux-headers-4.4.0-38 linux-headers-4.4.0-38-generic
>> linux-headers-4.4.0-43 linux-headers-4.4.0-43-generic
>> linux-headers-4.4.0-45 linux-headers-4.4.0-45-generic
>> linux-headers-4.4.0-47 linux-headers-4.4.0-47-generic
>> linux-headers-4.4.0-51 linux-headers-4.4.0-51-generic
>> linux-headers-4.4.0-53 linux-headers-4.4.0-53-generic
>> linux-headers-4.4.0-57 linux-headers-4.4.0-57-generic
>> linux-headers-4.4.0-59 linux-headers-4.4.0-59-generic
>> linux-headers-4.4.0-62 linux-headers-4.4.0-62-generic
>> linux-headers-4.4.0-63 linux-headers-4.4.0-63-generic
>> linux-headers-4.4.0-64 linux-headers-4.4.0-64-generic
>> linux-headers-4.4.0-66 linux-headers-4.4.0-66-generic
>> linux-headers-4.4.0-72 linux-headers-4.4.0-72-generic
>> linux-headers-4.4.0-75 linux-headers-4.4.0-75-generic
>> linux-headers-4.4.0-77 linux-headers-4.4.0-77-generic
>> linux-headers-4.4.0-78 linux-headers-4.4.0-78-generic
>> linux-headers-4.4.0-79 linux-headers-4.4.0-79-generic
>> linux-headers-4.4.0-81 linux-headers-4.4.0-81-generic
>> linux-image-4.4.0-36-generic linux-image-4.4.0-38-generic
>> linux-image-4.4.0-43-generic
>> linux-image-4.4.0-45-generic linux-image-4.4.0-47-generic
>> linux-image-4.4.0-51-generic
>> linux-image-4.4.0-53-generic linux-image-4.4.0-57-generic
>> linux-image-4.4.0-59-generic
>> linux-image-4.4.0-62-generic linux-image-4.4.0-63-generic
>> linux-image-4.4.0-64-generic
>> linux-image-4.4.0-66-generic linux-image-4.4.0-72-generic
>> linux-image-4.4.0-75-generic
>> linux-image-4.4.0-77-generic linux-image-4.4.0-78-generic
>> linux-image-4.4.0-79-generic
>> linux-image-4.4.0-81-generic linux-image-extra-4.4.0-36-generic
>> linux-image-extra-4.4.0-38-generic
>> linux-image-extra-4.4.0-43-generic linux-image-extra-4.4.0-45-generic
>> linux-image-extra-4.4.0-47-generic
>> linux-image-extra-4.4.0-51-generic linux-image-extra-4.4.0-53-generic
>> linux-image-extra-4.4.0-57-generic
>> linux-image-extra-4.4.0-59-generic linux-image-extra-4.4.0-62-generic
>> linux-image-extra-4.4.0-63-generic
>> linux-image-extra-4.4.0-64-generic linux-image-extra-4.4.0-66-generic
>> linux-image-extra-4.4.0-72-generic
>> linux-image-extra-4.4.0-75-generic linux-image-extra-4.4.0-77-generic
>> linux-image-extra-4.4.0-78-generic
>> linux-image-extra-4.4.0-79-generic linux-image-extra-4.4.0-81-generic
>> snap-confine ubuntu-core-launcher
>> Use 'sudo apt autoremove' to remove them.
>> The following packages will be REMOVED:
>> ubuntu-mate-core* ubuntu-mate-desktop* unattended-upgrades*
>> 0 to upgrade, 0 to newly install, 3 to remove and 0 not to upgrade.
>> After this operation, 348 kB disk space will be freed.
>> Do you want to continue? [Y/n]
>>
>> Therein lies the rub.
>>
>> To remove the package;
>> :~$ sudo apt-get purge unattended-upgrades
>> requires the removal of the user interface.
>>
>> That is why I regard the package as a trojan.
>>
>> It can not be simply and easily and cleanly, removed.
>>
>> Its design hooks it into other packages, to prevent its removal.
>>
>> It is like a cancer with secondaries in the brain - attempts to remove,
>> simply aggravate the damage.
>
> There are many packages that cannot be uninstalled on Ubuntu (and all
> other distros). They're not trojans. Please google the definition of
> trojan.
>
> In this case, it's not that it cannot be uninstalled, it's that the
> mate metapackages depend on it.
>
> You could delete the metapackages but you'd be better off disabling
> unattended-upgrades:
>
> https://help.ubuntu.com/community/AutomaticSecurityUpdates
>


On that web page is

"
This is a simple tutorial that will teach you to configure your system
to automatically install security updates. There are always some
security risks involved in running software upgrades without
supervision
"

1. That web page tells how to automatically install updates. It does
not state how to prevent automated installation of updates.

2. "There are always some security risks involved in running software
upgrades without supervision" - the use of the packager is a defined
and declared security risk.

-- 

Bret Busby
Armadale
West Australia

..............

"So once you do know what the question actually is,
 you'll know what the answer means."
- Deep Thought,
 Chapter 28 of Book 1 of
 "The Hitchhiker's Guide to the Galaxy:
 A Trilogy In Four Parts",
 written by Douglas Adams,
 published by Pan Books, 1992

....................................................

More information about the ubuntu-users mailing list