Ubuntu
update-manager package

update manager tries to download stale files?

Bug #420009 reported by Dan Kegel on 2009-08-27

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	update-manager (Ubuntu)	Triaged	Low	Unassigned

Bug Description

Binary package hint: update-manager

An ubuntu-9.04 system that had been turned off for a couple weeks
was turned on today, and Update Manager asked to update a
bunch of packages. It encountered the following error:

W: Failed to fetch
http://dl.google.com/linux/deb/pool/main/g/google-chrome-unstable/google-chrome-unstable_3.0.198.1-r23116_amd64.deb
404 Not Found [IP: 74.125.19.136 80]

Presumably this system had done an apt-get update, but been
shut down before actually installing the available updates, and
when the system came back up, the update manager tried to get that package,
but failed because that package is now obsolete, having been replaced with
a newer one several weeks ago.

This seems like it wouldn't happen with packages provided directly by
Ubuntu, since old packages are rarely removed from their repo;
it's specific to third party repositories which are rapidly updated
and where obsolete packages are routinely removed from the repo.
It might also happen with Ubuntu alpha releases; I think they
remove buggy packages from the repo if they cause problems.

It seems that update-manager should do an apt-get update to
get a fresh list of packages before trying to do the install.

Running outdated packages can widen the window of vulnerability,
so this is a security problem.

Dan Kegel (dank) on 2009-08-27

visibility:

private → public

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-08-28:

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability:

yes → no

Revision history for this message

to be removed (liw) wrote on 2009-10-13:

This does happen to regular Ubuntu archives as well, during the development phase. For a released version iti is obviously rare.

However, since doing an "apt-get update" can be heavy, especially on slower machines, it's not necessarily a good idea to do it always before installing upgrades. I'd say that the mechanisms we have in place of keeping the packge lists up to date daily should take of the security aspect.

It might help if the dialog saying packages couldn't be downloaded would warn about package lists being up to date. Or the upgrade action could the dates of the updates and warn if they're older than a day or two.

Changed in update-manager (Ubuntu):
status:	New → Triaged
importance:	Undecided → Low

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuupdate-manager package