** Merge proposal linked: https://code.launchpad.net/~chad.smith/ubuntu/+source/update-notifier/+git/update-notifier/+merge/401826
** Merge proposal linked: https://code.launchpad.net/~chad.smith/ubuntu/+source/update-notifier/+git/update-notifier/+merge/401662 ** Merge proposal linked: https://code.launchpad.net/~lamoura/ubuntu/+source/update-notifier/+git/update-notifier/+merge/401657 ** Merge proposal linked: https://code.launchpad.net/~lamoura/ubuntu/+source/update-notifier/+git/update-notifier/+merge/401653 ** Merge proposal linked: https://code.launchpad.net/~lamoura/ubuntu/+source/update-notifier/+git/update-notifier/+merge/401473 ** Changed in: update-notifier (Ubuntu Bionic) Status: New => In Progress ** Changed in: update-notifier (Ubuntu Focal) Status: New => In Progress ** Changed in: update-notifier (Ubuntu Hirsute) Status: New => In Progress ** Changed in: update-notifier (Ubuntu Impish) Status: New => In Progress ** Changed in: update-notifier (Ubuntu Bionic) Importance: Undecided => High ** Changed in: update-notifier (Ubuntu Focal) Importance: Undecided => High ** Changed in: update-notifier (Ubuntu Hirsute) Importance: Undecided => High ** Changed in: update-notifier (Ubuntu Impish) Importance: Undecided => High ** Description changed: - I came across a scenario where the output of `/usr/lib/update-notifier - /apt-check --human-readable` is showing some (not all) esm updates as - being installable when esm itself is disabled: + [Impact] + when users are getting the message update-notifier message through apt-check they may find inconsistent behavior regarding ESM products. This is misleading since we will say to the users that they don't have ESM Infra, but they do have ESM infra packages that can be installed. This is poor marketing of our products + + [Test case] + + To reproduce the issue, you can: + + 1. Launch the following old version of a xenial container: + lxc launch ubuntu:f4c4c60a6b752a381288ae72a1689a9da00f8e03b732c8d1b8a8fcd1a8890800 dev-x + + 2. Run apt update and install the updated version of update-notifier-common + 3. Add the ubuntu-advantage-tools ppa: + https://code.launchpad.net/~ua-client/+archive/ubuntu/daily + 4. Install ubuntu-advantage-tools + 5. Install the latest version of uaclient from the stable ppa: + https://launchpad.net/~ua-client/+archive/ubuntu/stable/ + 6. Comment out all mentions of xenial-security in /etc/apt/source.list + 7. Run apt update + 8. Run /usr/lib/update-notifier/apt-check --human-readable + 9. See a message like this: + + UA Infra: Extended Security Maintenance (ESM) is not enabled. + + 256 packages can be updated. + 5 of these updates are fixed through UA Infra: ESM. + 5 of these updates are security updates. + To see these additional updates run: apt list --upgradable + + Enable UA Infra: ESM to receive 5 additional security updates. + See https://ubuntu.com/security/esm or run: sudo ua status + + + To verify that the error is fixed: + + 1.Perform all the stages above until step 8 + 2 Install the new update-notifier from this ppa: + https://launchpad.net/~lamoura/+archive/ubuntu/update-notifier-test-ppa + 3. Run /usr/lib/update-notifier/apt-check --human-readable + 4. See a message like this: + + 256 updates can be installed immediately. + 5 of these updates are security updates. + To see these additional updates run: apt list --upgradable + + 5. We are now only showing ESM infra specific message if the distro is + ESM. To enforce that behavior, make the `is_esm_distro` function in + `/usr/lub/update-notifier/apt-check` return True, then you will see this + message: + + UA Infra: Extended Security Maintenance (ESM) is not enabled. + + 256 updates can be installed immediately. + 5 of these updates are security updates. + To see these additional updates run: apt list --upgradable + + 5 additional security updates can be applied with UA Infra: ESM + Learn more about enabling UA Infra: ESM service at https://ubuntu.com/esm + + That is now correct. + + [Where problems could occur] + + The changes in this package should only be seen when MOTD is getting a + new message. If that script fails for some reason, it seems that MOTD + will only not present the message, which is doesn't seem to be a system + critical issue. Additionally, we would potentially have tracebacks in + the update-notifier logs. Finally, if the logic is also incorrect, we + would be displying incorrect ESM messages to the user. But since we are + doing this now, as this bug shows, I don't think this is critical as + well. + + [Discussion] + + With ESM Apps going to production soon, we have decided to update the + messages delivered by update-notifier apt-check to address the package + count of ESM Apps and the possibility of installing more upgrades if the + user has ESM Apps disabled. + + We are also updating other parts of the messaging as well. First, we only display ESM Infra status + on ESM distros. However, we will keep showing the ESM Infra package count on all of them. + + For ESM Apps, we are only performing the alerts (For example, that you + might have x packages updates if ESM Apps is installed) if the user is + on a LTS distro. + + Since we going to perform that change, we decided to also address this + bit in the SRU, since it could harm the message we are delivering + + [Original Report] + I came across a scenario where the output of `/usr/lib/update-notifier/apt-check --human-readable` is showing some (not all) esm updates as being installable when esm itself is disabled: ubuntu@trusty-desktop:~$ sudo /usr/lib/update-notifier/apt-check --human-readable UA Infrastructure Extended Security Maintenance (ESM) is not enabled. 456 updates can be installed immediately. 10 of these updates are provided through UA Infrastructure ESM. 378 of these updates are security updates. To see these additional updates run: apt list --upgradable Enable UA Infrastructure ESM to receive 127 additional security updates. See https://ubuntu.com/advantage or run: sudo ua status - If you look carefully, you will see that it's contradicting itself by saying esm is enabled and disabled at the same time: - 10 ESM updates can be installed immediately - ESM is disabled, and if you enable ESM you will get 127 additional updates I believe this comes from apt_check.py:253: - # now check for security updates that are masked by a - # canidate version from another repo (-proposed or -updates) - for ver in pkg.version_list: - if (inst_ver and apt_pkg.version_compare(ver.ver_str, inst_ver.ver_str) <= 0): - #print("skipping '%s' " % ver.VerStr) - continue - if isESMUpgrade(ver): - esm_updates += 1 - if isSecurityUpgrade(ver): - security_updates += 1 - break + # now check for security updates that are masked by a + # canidate version from another repo (-proposed or -updates) + for ver in pkg.version_list: + if (inst_ver and apt_pkg.version_compare(ver.ver_str, inst_ver.ver_str) <= 0): + #print("skipping '%s' " % ver.VerStr) + continue + if isESMUpgrade(ver): + esm_updates += 1 + if isSecurityUpgrade(ver): + security_updates += 1 + break I believe that is ignoring the fact that ESM is disabled. I added a pdb to check which package it was considering as an esm update, and the first response was dbus, which is in this peculiar state in the archive: ubuntu@trusty-desktop:~$ apt-cache policy dbus dbus: - Installed: 1.6.18-0ubuntu4.3 - Candidate: 1.6.18-0ubuntu4.5 - Version table: - 1.6.18-0ubuntu4.5+esm1 0 - -32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages - 1.6.18-0ubuntu4.5 0 - 500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages - 1.6.18-0ubuntu4.4 0 - 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages - *** 1.6.18-0ubuntu4.3 0 - 100 /var/lib/dpkg/status - 1.6.18-0ubuntu4 0 - 500 http://br.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages + Installed: 1.6.18-0ubuntu4.3 + Candidate: 1.6.18-0ubuntu4.5 + Version table: + 1.6.18-0ubuntu4.5+esm1 0 + -32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages + 1.6.18-0ubuntu4.5 0 + 500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages + 1.6.18-0ubuntu4.4 0 + 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages + *** 1.6.18-0ubuntu4.3 0 + 100 /var/lib/dpkg/status + 1.6.18-0ubuntu4 0 + 500 http://br.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages Maybe we just need to guard that isESMUpgrade(ver) call with "if have_esm and isESMUpgrade(ver)"? The other place in the code a bit up from the above which also increments esm_updates isn't run in this scenario, so the 10 packages must come from the check I highlighted above. - Other info: update-notifier 0.154.1ubuntu8 from trusty-updates ubuntu-advantage-tools 19.6~ubuntu14.04.4 from trusty-updates ua is attached, but esm disabled: ubuntu@trusty-desktop:~$ ua status SERVICE ENTITLED STATUS DESCRIPTION cc-eal yes n/a Common Criteria EAL2 Provisioning Packages cis-audit no — Center for Internet Security Audit Tools esm-infra yes disabled UA Infra: Extended Security Maintenance fips yes n/a NIST-certified FIPS modules fips-updates yes n/a Uncertified security updates to FIPS modules livepatch yes disabled Canonical Livepatch service Enable services with: ua enable <service> - Account: andreas.hasen...@canonical.com + Account: andreas.hasen...@canonical.com Subscription: andreas.hasen...@canonical.com -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883315 Title: Showing esm update as installable when esm is disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1883315/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
