libssl-dev : Depends: libssl3 (= 3.0.2-0ubuntu1.1) but 3.0.2-0ubuntu1.2 is to be installed

Bug #1979244 reported by Felipe Reyes
156
This bug affects 35 people
Affects Status Importance Assigned to Milestone
MySQL InnoDB Cluster Charm
Invalid
Undecided
Unassigned
apt (Ubuntu)
Fix Released
High
Unassigned
Impish
Won't Fix
High
Unassigned
Jammy
Fix Released
High
Unassigned

Bug Description

[Impact]
Users cannot install a package, e.g. libssl-dev, if built from the same source as another installed update while it is phasing.

In the example below, libssl3 3.0.2-0ubuntu1.2 update was already installed, this got replaced in the archive with a 3.0.2-0ubuntu1.4 update that was phasing and the system in question was not eligible for it yet.

Because the system was not eligible for openssl 3.0.2-0ubuntu1.4, it picked libssl-dev=3.0.2-0ubuntu1.1 from the security pocket as the candidate instead, which conflicts with the higher version of libssl3.

[Approach]
We reimplemented the phasing as part of the upgrade code path by keeping back any phased upgrades, as the original update-manager implementation does, and disabled the policy based implementation (set APT::Phase-Policy to true to re-enable it).

This means that phasing only applies when upgrades are made by apt, and not when initiated manually by the user or as a result from a dependency.

So if you have a phased upgrade 'phased', apt upgrade won't upgrade it, but `apt upgrade 'phased'`, like àpt install 'phased'` will - which is the expected behavior as the arguments should behave like they do in `install`.

Packages will now appear as having "been kept back" in the upgrade output.

[Test case]
Integration tests will be provided and run as autopkgtests, testing the scenarios described in this issue and comment #10. This cannot necessarily be tested on the real archive as you need packages phasing and have an older version installed.

Please see test/integration/test-phased-updates-upgrade for the complete tests. tl;dr is that we test each of the upgrade commands, with and without package arguments, and the install command with arguments; for a variety of scenarios:

– simple phased update
- a phased update that has a version in security
- a package that gains a dependency on an installed phased package
- a package that gains a dependency on a NEW phased package

We test both the new implementation and the old one.

[Regression potential]
The solver could break trying to unwrap our mess of MarkKeep() calls where they conflict with other calls. I don't think it can necessarily break harder than now and issues can be worked around archive side if problems do pop up. Also people can manually work around by passing package names of phased upgrades to force them.

Packages will now be installed from the -updates pocket if they have a newer-than-installed version in the -security pocket, rather than the security pocket, as we cannot switch the version. This is the same behavior as update-manager.

[Example]

libmysqlclient-dev on Jammy cannot be installed due to unmet dependencies

$ apt policy libmysqlclient-dev
libmysqlclient-dev:
  Installed: (none)
  Candidate: 8.0.29-0ubuntu0.22.04.2
  Version table:
     8.0.29-0ubuntu0.22.04.2 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     8.0.28-0ubuntu4 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
$ sudo 'apt-get' '--option=Dpkg::Options::=--force-confold' '--assume-yes' 'install' 'libmysqlclient-dev'
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl3 (= 3.0.2-0ubuntu1.1) but 3.0.2-0ubuntu1.2 is to be installed
E: Unable to correct problems, you have held broken packages.

Revision history for this message
Felipe Reyes (freyes) wrote :

I wonder if I deployed just in the middle of a new version being rolled.

$ apt policy libssl3
libssl3:
  Installed: 3.0.2-0ubuntu1.2
  Candidate: 3.0.2-0ubuntu1.2
  Version table:
     3.0.2-0ubuntu1.4 1 (phased 10%)
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
 *** 3.0.2-0ubuntu1.2 100
        100 /var/lib/dpkg/status
     3.0.2-0ubuntu1.1 500
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     3.0.2-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mysql-8.0 (Ubuntu Jammy):
status: New → Confirmed
Changed in mysql-8.0 (Ubuntu):
status: New → Confirmed
Revision history for this message
Jeremy Chadwick (koitsu) wrote :

https://askubuntu.com/questions/1414956/libssl3-3-0-2-0ubuntu1-2-required-but-only-3-0-2-0ubuntu1-1-is-available-on-t/1414986

It's now been 14+ hours and this dependency tree is still broken. This (libssl) was last touched by Simon Chopin around that time.

Changed in openssl (Ubuntu Jammy):
status: New → Confirmed
Changed in openssl (Ubuntu):
status: New → Confirmed
Revision history for this message
rudnik (nnrudakov) wrote :

The same error when trying to install postgresql-server-dev package.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I can't reproduce this in a jammy VM.
What's the output of "apt policy libssl-dev"?

Revision history for this message
Marcus Dansarie (4-marcus) wrote :

$ apt policy libssl-dev
libssl-dev:
  Installed: (none)
  Candidate: 3.0.2-0ubuntu1.1
  Version table:
     3.0.2-0ubuntu1.4 1 (phased 30%)
        500 http://se.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
     3.0.2-0ubuntu1.1 500
        500 http://se.archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     3.0.2-0ubuntu1 500
        500 http://se.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I need the same person to do "apt policy" on the package they are trying to install, on "libssl-dev" and on "libssl3", and to also paste the error message they are getting when trying to install the package that is failing.

Revision history for this message
Itai Levy (etlvnvda) wrote :
Revision history for this message
Daniel (dedeman) wrote :

Hi, from my side the output is:
root@vps:/home/ubuntu# apt install libssl-dev
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl3 (= 3.0.2-0ubuntu1.1) but 3.0.2-0ubuntu1.4 is to be installed
E: Unable to correct problems, you have held broken packages.
root@vps:/home/ubuntu# apt install libssl3
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
libssl3 is already the newest version (3.0.2-0ubuntu1.4).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@vps:/home/ubuntu# apt policy libssl-dev
libssl-dev:
  Installed: (none)
  Candidate: 3.0.2-0ubuntu1.1
  Version table:
     3.0.2-0ubuntu1.4 1 (phased 30%)
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
     3.0.2-0ubuntu1.1 500
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     3.0.2-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
root@vps:/home/ubuntu# apt policy libssl3
libssl3:
  Installed: 3.0.2-0ubuntu1.4
  Candidate: 3.0.2-0ubuntu1.4
  Version table:
 *** 3.0.2-0ubuntu1.4 1 (phased 30%)
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     3.0.2-0ubuntu1.1 500
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     3.0.2-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

Revision history for this message
Jeremy Chadwick (koitsu) wrote :
Download full text (5.5 KiB)

@mdeslaur Here are the details you want. This is a freshly launched AWS EC2 instance (AMI ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20220609). "update" pulls from apt repos jammy, jammy-updates, jammy-backports, and jammy-security. Issue is 100% reproducible.

$ sudo -i
# apt-get -y update
Hit:1 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease [109 kB]
Get:3 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease [99.8 kB]
Get:4 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:5 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [14.1 MB]
Get:6 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/universe Translation-en [5652 kB]
Get:7 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 c-n-f Metadata [286 kB]
Get:8 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [217 kB]
Get:9 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/multiverse Translation-en [112 kB]
Get:10 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/multiverse amd64 c-n-f Metadata [8372 B]
Get:11 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [303 kB]
Get:12 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/main Translation-en [72.9 kB]
Get:13 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 c-n-f Metadata [4952 B]
Get:14 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [184 kB]
Get:15 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted Translation-en [27.9 kB]
Get:16 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [125 kB]
Get:17 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe Translation-en [44.1 kB]
Get:18 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 c-n-f Metadata [2560 B]
Get:19 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [4192 B]
Get:20 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse Translation-en [1016 B]
Get:21 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 c-n-f Metadata [232 B]
Get:22 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports/main amd64 c-n-f Metadata [112 B]
Get:23 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports/restricted amd64 c-n-f Metadata [116 B]
Get:24 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [2036 B]
Get:25 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe Translation-en [7012 B]
Get:26 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 c-n-f Metadata [216 B]
Get:27 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports/multiverse amd64 c-n-f Metadata [116 B]
Get:28 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [185 kB]
Get:29 http://security.ubuntu.com/ubuntu jammy-security/main Translation-en [43.6 kB]
Get:30 http://security.ubuntu.com/ubuntu jammy-security/main amd6...

Read more...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote (last edit ):

This is happening because of phased updates. The libssl3 package was either manually installed, or it came preinstalled in an image, and now phased updates is preventing libssl-dev from being installed. There are two ways to get out of this stalemate:

1- Manually request the libssl-dev version to be installed: "apt install libssl-dev=3.0.2-0ubuntu1.4"
2- Disable phased updates, see the configuration options here: https://discourse.ubuntu.com/t/phased-updates-in-apt-in-21-04/20345

Revision history for this message
Jeremy Chadwick (koitsu) wrote :

Thanks for the information. We will begin disabling phased updates on all our systems being imaged going forward.

Revision history for this message
Jeremy Chadwick (koitsu) wrote :

BTW, with regards to libssl3 being "manually installed or coming preinstalled", it comes preinstalled because package linux-headers relies on it:

# aptitude why libssl3
i linux-headers-5.15.0-1011-aws Depends libssl3 (>= 3.0.0~~alpha1)

As such, I'm not so sure doing A/B testing (re: phased updates) on anything OpenSSL-related is a wise idea.

Revision history for this message
Jeremy Chadwick (koitsu) wrote :

Also, the recommended advice does not work/apply. Adding this to /etc/apt/apt.conf does not relieve the problem (I tried all these permutations, since apt_preferences(5) is not clear what syntax is truly wanted, and web searches turn up varying opinions depending on if you're using Update Manager or not, alongside questioning why there is a Never and an Always, re: tri-state switch):

Update-Manager::Always-Include-Phased-Updates "0";
Update-Manager::Always-Include-Phased-Updates "False";
Update-Manager::Always-Include-Phased-Updates False;
Update-Manager::Never-Include-Phased-Updates "1";
Update-Manager::Never-Include-Phased-Updates "True";
Update-Manager::Never-Include-Phased-Updates True;
APT::Get::Always-Include-Phased-Updates "0";
APT::Get::Always-Include-Phased-Updates "False";
APT::Get::Always-Include-Phased-Updates False;
APT::Get::Never-Include-Phased-Updates "1";
APT::Get::Never-Include-Phased-Updates "True";
APT::Get::Never-Include-Phased-Updates True;

I believe the answer is easily overlooked in the initial post from juliank: "Note that this does not apply to fresh package installs".

Next, I tried the other workaround, by force-pinning a version. Note that the original recommendation was "apt install libssl-dev=3.0.2-0ubuntu1.4", which will not work; "apt install libssl3=3.0.2-0ubuntu1.4" did work (understandably) -- except not really.

Forced pinning get us no further than before, because package libssl-dev explicitly depends on a specific version of libssl3 (note equals, not greater-than-equals or tilde):

# dpkg -l | grep libssl3
ii libssl3:amd64 3.0.2-0ubuntu1.4 amd64 Secure Sockets Layer toolkit - shared libraries

# apt-get install libmysqlclient-dev
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl3 (= 3.0.2-0ubuntu1.1) but 3.0.2-0ubuntu1.4 is to be installed
E: Unable to correct problems, you have held broken packages.

# apt-cache show libssl-dev
...
Depends: libssl3 (= 3.0.2-0ubuntu1)
...

So either libssl-dev needs to be updated alongside this, and somehow these two packages (libssl-dev and libssl3) need to be "tied together" when it comes to phased updates (I don't even know if that's possible), or there is further packaging work (version bumping) that needs to happen.

Additionally, I suspect what all this implies is that phased updates were enabled by default on the latest AWS AMI when it was made by Canonical, and now there is (effectively) no way to "opt out" of them. This is not a good system, folks. Please CC whoever is responsible for this model so they can witness real-world failure of it (and how getting out of this situation doesn't seem possible).

Revision history for this message
Julian Andres Klode (juliank) wrote (last edit ):

apt install libssl-dev=3.0.2-0ubuntu1.4 should work, but you might have to force additional packages up. Certainly the error will be different.

I don't understand your config options, you already have the phased update installed, so you need the reverse of what you did to get the still-phasing libssl-dev to be installed.

And no, the implementation changed to fix the opposite corollary bug, so it applies to not-yet-installed packages as well. Where people had libssl3=...1.1 installed and then tried to install libssl-dev and it would fail because libssl-dev Depends libssl3 (= ...1.4)

Simon Chopin (schopin)
tags: added: fr-2488
Revision history for this message
Jeremy Chadwick (koitsu) wrote :
Download full text (6.8 KiB)

No, it doesn't work. Is there a reason developers here are not actually launching new instances and confirming the statements themselves? Why do I have to keep proving this? Another fresh instance, AMI ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20220609 (ami-0d70546e43a941d70), absolutely nothing tuned, touched, or otherwise:

ubuntu@ip-172-31-53-51:~$ dpkg -l | grep libssl
ii libssl3:amd64 3.0.2-0ubuntu1.2 amd64 Secure Sockets Layer toolkit - shared libraries

ubuntu@ip-172-31-53-51:~$ sudo apt install libssl-dev=3.0.2-0ubuntu1.4
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl3 (= 3.0.2-0ubuntu1.4) but 3.0.2-0ubuntu1.2 is to be installed

ubuntu@ip-172-31-53-51:~$ sudo aptitude why libssl3
i linux-headers-5.15.0-1011-aws Depends libssl3 (>= 3.0.0~~alpha1)

Now, if you do what I said earlier -- please note the package version name difference compared to what everyone keeps referring to:

ubuntu@ip-172-31-53-51:~$ sudo apt install libssl3=3.0.2-0ubuntu1.4
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
  libssl3
1 upgraded, 0 newly installed, 0 to remove and 7 not upgraded.
Need to get 1900 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libssl3 amd64 3.0.2-0ubuntu1.4 [1900 kB]
Fetched 1900 kB in 0s (29.4 MB/s)
Preconfiguring packages ...
(Reading database ... 64038 files and directories currently installed.)
Preparing to unpack .../libssl3_3.0.2-0ubuntu1.4_amd64.deb ...
Unpacking libssl3:amd64 (3.0.2-0ubuntu1.4) over (3.0.2-0ubuntu1.2) ...
Setting up libssl3:amd64 (3.0.2-0ubuntu1.4) ...
Processing triggers for libc-bin (2.35-0ubuntu3) ...
{snipping for brevity}

ubuntu@ip-172-31-53-51:~$ dpkg -l | grep libssl
ii libssl3:amd64 3.0.2-0ubuntu1.4 amd64 Secure Sockets Layer toolkit - shared libraries

ubuntu@ip-172-31-53-51:~$ sudo apt-get install libmysqlclient-dev
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl3 (= 3.0.2-0ubuntu1.1) but 3.0.2-0ubuntu1.4 is to be installed
E: Unable to correct problems, you have held broken packages.

But now that libssl3 is using 3.0.2-0ubuntu1.4, let's see what happens if we try...

Read more...

Revision history for this message
atem18 (atem18) wrote (last edit ):

Hi,

I have the same issue with a fresh LXC image of Ubuntu 22.04.

So it's a real bug affecting not just a single instance of Ubuntu.

Revision history for this message
Nigel Warburton (niwa3836) wrote :

Sorry, new to this, I just did and sudo apt-get update and sudo apt-get -y install libmysqlclient-dev and now looks to be working for me. Thank you if someone fixed it:)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

An openssl security update was published today which superseded the openssl phased update, so this issue should be fixed for now.

Revision history for this message
atem18 (atem18) wrote :

Indeed, it's now fixed, I can confirm it.

Thanks a lot !

Revision history for this message
Jeremy Chadwick (koitsu) wrote :

Can also confirm.

Revision history for this message
rudnik (nnrudakov) wrote :

For postgresql-server-dev also confirm.

Felipe Reyes (freyes)
Changed in charm-mysql-innodb-cluster:
status: New → Invalid
Changed in mysql-8.0 (Ubuntu):
status: Confirmed → Invalid
no longer affects: mysql-8.0 (Ubuntu Jammy)
no longer affects: openssl (Ubuntu Jammy)
Changed in openssl (Ubuntu):
status: Confirmed → Invalid
no longer affects: mysql-8.0 (Ubuntu)
no longer affects: openssl (Ubuntu)
description: updated
description: updated
Revision history for this message
Julian Andres Klode (juliank) wrote :

The same problem now happens with libsystemd0 and libsystemd-dev.

We rolled the change out in 21.10 to avoid regressing 22.04 with bugs, but only received a single instance of this issue back then which was dismissed, maybe a bit too quickly as something known that needs to be resolved in launchpad (bug 1929082).

Revision history for this message
Balint Reczey (rbalint) wrote :

@juliank Thanks for working on this issue!

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu Jammy):
status: New → Confirmed
Changed in apt (Ubuntu):
status: New → Confirmed
Changed in apt (Ubuntu):
status: Confirmed → Fix Committed
Changed in apt (Ubuntu Jammy):
status: Confirmed → In Progress
description: updated
description: updated
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 2.5.1

---------------
apt (2.5.1) unstable; urgency=medium

  [ Américo Monteiro ]
  * Portuguese manpages translation update (Closes: #1011315)

  [ Ronan Desplanques ]
  * Fix integer underflow in flExtension

  [ Roberto C. Sánchez ]
  * Some minor tweaks of spelling/grammar for better readability.

  [ Tianon Gravi ]
  * Switch from "security.d.o" to "deb.d.o" (matching bullseye release notes)

  [ Julian Andres Klode ]
  * (Temporarily) Rewrite phased updates using a keep-back approach
    (LP: #1979244)
  * policy: Do not override negative pins with 1 due to phasing (LP: #1978125)

 -- Julian Andres Klode <email address hidden> Thu, 30 Jun 2022 13:27:30 +0200

Changed in apt (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

> - a phased update that has a version in security

I see there is code here to special-case security updates, and there are also added tests for the scenario where there is a phased update in -security with a PUP of 0. Can you please clarify why you thought this necessary to implement? As an archive policy, all packages released to the security pocket are phased immediately to 100%, and in the exceptional case that we set the phasing to 0 for a package in the security pocket (instead of simply removing it in case of a problem), I would expect apt to honor that.

Changed in apt (Ubuntu Jammy):
status: In Progress → Incomplete
Revision history for this message
Julian Andres Klode (juliank) wrote :

You misunderstood the test, the test has phased-security 2 in security and phased-security 3 is phasing in updates, at 0 to yield an easy test that it's really "not for us".

We don't have special casing for phased-update-percentage set on security updates. The behavior here is identical to update-manager and while I agree that it might make sense to handle that I feel like we can discuss that later rather than block this critical SRU now.

Surely everyone is aware that update-manager does not respect phasing on security updates already and takes care.

This SRU really is just "do what update-manager does, it worked so far". I prefer the pinning based implementation long term as it allows switching candidates (so it installs a good version from security rather than the bad version from updates) and works for install as well but needs more work in both launchpad dominator to keep previous versions in updates and apt to propagate candidate selections across a source package (set).

Changed in apt (Ubuntu Jammy):
status: Incomplete → Triaged
status: Triaged → In Progress
Revision history for this message
Julian Andres Klode (juliank) wrote :

To add to that. In the classic update-manager algorithm if 2 is in security and 3 in updates is not for us, like phasing at 0 or just random chance, 3 is considered a security update and installed anyway.

The problem being that at this point we cannot adjust which version we're going to install or we'd pick version 2 (like the pinning based implementation). I mean I guess we could try that in the future, but it's riskier in terms of setting the solver on 🔥.

Since image building does not yet respect phasing at all and can't until launchpad preserves previous unphased updates, and update-manager does not either for security updates, removals will always be preferable over PUP of 0.

Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Felipe, or anyone else affected,

Accepted apt into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.4.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apt (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Felipe, or anyone else affected,

Accepted apt into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.3.9ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apt (Ubuntu Impish):
status: New → Fix Committed
tags: added: verification-needed-impish
Jeremy Bicha (jbicha)
Changed in apt (Ubuntu):
importance: Undecided → High
Changed in apt (Ubuntu Impish):
importance: Undecided → High
Changed in apt (Ubuntu Jammy):
importance: Undecided → High
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (apt/2.3.9ubuntu0.2)

All autopkgtests for the newly accepted apt (2.3.9ubuntu0.2) for impish have finished running.
The following regressions have been reported in tests triggered by the package:

reprotest/0.7.16 (amd64, ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/impish/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (apt/2.4.6)

All autopkgtests for the newly accepted apt (2.4.6) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

apport/2.20.11-0ubuntu82.1 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Julian Andres Klode (juliank) wrote :

Marking them as verified as the tests testing those cases have passed. We're also asking for community testing in parallel to make sure there are not any more regressions that the tests don't cover, but we are using the normal aging period for that, so it's best to tag it verified for now, if there's some regression in the period we can remove it, but otherwise people forget to look at it if it stays unverified.

tags: added: verification-done verification-done-impish verification-done-jammy
removed: verification-needed verification-needed-impish verification-needed-jammy
Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 21.10 (Impish Indri) has reached end of life, so this bug will not be fixed for that specific release.

Changed in apt (Ubuntu Impish):
status: Fix Committed → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 2.4.6

---------------
apt (2.4.6) jammy; urgency=medium

  * (Temporarily) Rewrite phased updates using a keep-back approach
    (LP: #1979244)
  * policy: Do not override negative pins with 1 due to phasing (LP: #1978125)
  * Point branch to 2.4.y and use jammy in gitlab-ci

 -- Julian Andres Klode <email address hidden> Thu, 30 Jun 2022 15:33:22 +0200

Changed in apt (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for apt has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers