Ubuntu
update-manager package

update-manager indicates that updates are security updates even if they're not

Bug #209169 reported by levander
4
Affects Status Importance Assigned to Milestone
update-manager (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: update-manager

Even if the only updates available are non-security updates, package-manager makes it visually look like the updates are in fact security updates.

In the attached screenshot, you can see where at the top of the updatatable package list, there's a message "Important security updates". The first five packages are: cupsys, cupsys-bsd, cupsys-client, cupsys-common, and ghostscript.

Here's the 'apt-cache policy' listings for those packages:

levander@louis:~$ apt-cache policy cupsys
cupsys:
  Installed: 1.3.2-1ubuntu7
  Candidate: 1.3.2-1ubuntu7.5
  Version table:
     1.3.2-1ubuntu7.5 0
        500 http://us.archive.ubuntu.com gutsy-updates/main Packages
     1.3.2-1ubuntu7.3 0
        500 http://security.ubuntu.com gutsy-security/main Packages
 *** 1.3.2-1ubuntu7 0
        500 http://us.archive.ubuntu.com gutsy/main Packages
        100 /var/lib/dpkg/status
levander@louis:~$ apt-cache policy cupsys-bsd
cupsys-bsd:
  Installed: 1.3.2-1ubuntu7
  Candidate: 1.3.2-1ubuntu7.5
  Version table:
     1.3.2-1ubuntu7.5 0
        500 http://us.archive.ubuntu.com gutsy-updates/main Packages
     1.3.2-1ubuntu7.3 0
        500 http://security.ubuntu.com gutsy-security/main Packages
 *** 1.3.2-1ubuntu7 0
        500 http://us.archive.ubuntu.com gutsy/main Packages
        100 /var/lib/dpkg/status
levander@louis:~$ apt-cache policy cupsys-client
cupsys-client:
  Installed: 1.3.2-1ubuntu7
  Candidate: 1.3.2-1ubuntu7.5
  Version table:
     1.3.2-1ubuntu7.5 0
        500 http://us.archive.ubuntu.com gutsy-updates/main Packages
     1.3.2-1ubuntu7.3 0
        500 http://security.ubuntu.com gutsy-security/main Packages
 *** 1.3.2-1ubuntu7 0
        500 http://us.archive.ubuntu.com gutsy/main Packages
        100 /var/lib/dpkg/status
levander@louis:~$ apt-cache policy cupsys-common
cupsys-common:
  Installed: 1.3.2-1ubuntu7
  Candidate: 1.3.2-1ubuntu7.5
  Version table:
     1.3.2-1ubuntu7.5 0
        500 http://us.archive.ubuntu.com gutsy-updates/main Packages
     1.3.2-1ubuntu7.3 0
        500 http://security.ubuntu.com gutsy-security/main Packages
 *** 1.3.2-1ubuntu7 0
        500 http://us.archive.ubuntu.com gutsy/main Packages
        100 /var/lib/dpkg/status
levander@louis:~$ apt-cache policy ghostscript
ghostscript:
  Installed: 8.61.dfsg.1~svn8187-0ubuntu3
  Candidate: 8.61.dfsg.1~svn8187-0ubuntu3.3
  Version table:
     8.61.dfsg.1~svn8187-0ubuntu3.3 0
        500 http://us.archive.ubuntu.com gutsy-updates/main Packages
     8.61.dfsg.1~svn8187-0ubuntu3.2 0
        500 http://security.ubuntu.com gutsy-security/main Packages
 *** 8.61.dfsg.1~svn8187-0ubuntu3 0
        500 http://us.archive.ubuntu.com gutsy/main Packages
        100 /var/lib/dpkg/status

You can see that none of these updates are coming from the security archives.

I created this situation by doing a clean install of Gutsy, then going to the "Software Sources" dialog and selecting to auto-install security updates. The next day, many updates were auto-installed, the updates still list in update-manager are the ones that weren't updated.

Note that it's not that update-manager installs these non-security updates when you've selected to auto-install security updates, update-manager does not do this. But from the GUI, it just looks like those updates are security updates.

Revision history for this message
levander (levander) wrote :
Revision history for this message
levander (levander) wrote :

So, I installed the updates and now there's one new update available. It's a non-security update and the "Important security updates" message is gone. It now says "Recommended Updates".

I'm guessing this bug only occurs on new systems where you haven't installed any certain type of packages yet. The 2nd to last paragraph in the original post states how I created the error.

Screenshot of new situation attached.

Revision history for this message
Michael Vogt (mvo) wrote :

Thanks for your bugreport.

Looking at the version table I see that while the actual upgrade itself comes from -update there is a version in -security that has a higher version number than the one installed but a lower one than the one in -updates. That means that the installed package has a security problem but there is also something else that got fixed in -updates. So it seems to be appropriate to show it as a security update (also it may be argued that there should be a new category "security+update").

What do you think?

Thanks,
 Michael

Changed in update-manager:
status: New → Incomplete
Revision history for this message
levander (levander) wrote :

Okay, I don't understand all the output of 'apt-cache policy'. I understand it more with your desciption. Having an additional "security+update" would be a solution for update-manager.

I'm wondering if there isn't a larger issue though when you consider the whole of the Ubuntu desktop. In the "Software Sources" dialog, I've checked the button to auto-install security updates. So, I'm *expecting* my computer is at least as secure as is all the security fixes Ubuntu has deemed important enough to fix.

I see that the pattern of the updates for the five packages I've list above is: 1.) regular update, 2.) security-update, 3.) regular update. Now, unless the security update in 2.) only fixed a security hole that was only introduced in the regular update in 1.), at the point in time I reported this bug, my computer was not as secure as I *expect* it to be (as was described in the previous paragraph).

So basically, I'm expecting consistency between the Software Sources dialog and the update manager. If you have a new section in update-manager called something like "security+update", as an unenlightened end user, I'm still going to wonder why I don't have the security fixes that exist in this new section. You could just expect end-users to become enlightened, but my opinion is that that's a little more digging than the average user Ubuntu is hoping to obtain should be expected to dig.

Depending on the answer to some of the questions I've asked, maybe this is a bug that affects a 2nd package, the one that the Software Sources dialog is in?

Revision history for this message
Magnus S (magnuss) wrote :

Hi,
this bug report is getting old, so i'm closing it now. If this issue is still affecting you, please reopen.
To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in update-manager:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.