Landscape sometimes don't list the security-update

Hi Norbert --

Landscape does not take into account the "pocket" (ex: ubuntu-security) where a package comes from when reporting if an upgrade is a security fix or not. See this page for more details on pockets: https://wiki.ubuntu.com/SecurityTeam/FAQ#How_are_components_and_pockets_used_in_the_builds.2C_and_how_do_they_affect_security_updates.3F

Instead, Landscape relies on the USN Database, which is authoritative for Ubuntu systems. A number of factors could be at play here, and this problem would need more isolation before it could be actioned.

Just off the top of my head:

1) Your image shows 38 "Upgrades", but you had 7 packages actually installed in your output. These could be different machines, or different points in time.

2) There is a package reporter process that runs periodically from the client and reports back to the server, you may have caught things during a window before that was run.

3) the USN database needs to be kept up to date, and errors or firewall blocks can cause this process to never complete. See here for example: https://askubuntu.com/questions/879604/, https://askubuntu.com/questions/818983

Please check into these things and narrow things down. But, just so you know, your base assumption about the pocket being important to Landscape calculation is not correct. It does not come into play at all. Just package name, version and the USN database are used.

Hello,
thank your for your answer.

With this new information, I was able to narrow down the problem. Now I think it's not a bug in Landcape.

I searched the USN database https://usn.ubuntu.com/usn-db/database-all.json for these updates. I found some packages which are released by the security repo but has no entry in the USN-database.

Example: I installed linux-firmware_1.157.15 and can update to linux-firmware_1.157.16 via xenial-security, but there is no entry for linux-firmware_1.157.16 in the database.

Is it possible that not every update in $release-security as an entry in the USN-database?

Best regards,
Norbert Härig

Hi Norbert - thanks for the additional research! I can confirm that we (Ubuntu Security) release some updates into the -security pocket without publishing a USN for the update. What I think is happening in this specific case is that you're seeing updates in the -security pocket that don't fix a security vulnerability.

It is valid for a system to not enable the -updates pocket and only have the release and -security pockets enabled. That makes it necessary to publish updates to the -security pocket which don't necessarily fix security vulnerabilities. An example would be a update to a toolchain related package, such as gcc, that's needed in order to build a future security update. The updated toolchain package typically won't receive a USN even though it was published to -security. The actual security update, built with the new toolchain, will receive a USN. It is fine if an end user's system doesn't have the new toolchain update because it isn't actually needed to fix a vulnerability.

Hi,

Thanks for the answer, the information helped me a lot.

Best regards
Norbert Härig

[Expired for Landscape Server because there has been no activity for 60 days.]