unattended-upgrades does not work in default installation

Bug #1375919 reported by Anthony Wong
52
This bug affects 11 people
Affects Status Importance Assigned to Milestone
Raspbian
Confirmed
Undecided
Unassigned

Bug Description

/etc/apt/apt.conf.d/50unattended-upgrades has:

// Automatically upgrade packages from these origin patterns
Unattended-Upgrade::Origins-Pattern {
        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
// "o=Raspbian,a=stable";
// "o=Raspbian,a=stable-updates";
// "o=Raspbian,a=proposed-updates";
        "origin=Raspbian,archive=stable,label=Raspbian-Security";
};

But there is no source with label=Raspbian-Security:

$ apt-cache policy
Package files:
 100 /var/lib/dpkg/status
     release a=now
 500 http://archive.raspberrypi.org/debian/ wheezy/main Translation-en
 500 http://archive.raspberrypi.org/debian/ wheezy/main armhf Packages
     release o=Raspberry Pi Foundation,n=wheezy,l=Raspberry Pi Foundation,c=main
     origin archive.raspberrypi.org
 500 http://raspberrypi.collabora.com/ wheezy/rpi armhf Packages
     release o=Collabora,n=wheezy,l=Collabora Raspberry Pi graphics enablement,c=rpi
     origin raspberrypi.collabora.com
 500 http://mirrordirector.raspbian.org/raspbian/ wheezy/rpi armhf Packages
     release v=7.0,o=Raspbian,a=stable,n=wheezy,l=Raspbian,c=rpi
     origin mirrordirector.raspbian.org
 500 http://mirrordirector.raspbian.org/raspbian/ wheezy/non-free armhf Packages
     release v=7.0,o=Raspbian,a=stable,n=wheezy,l=Raspbian,c=non-free
     origin mirrordirector.raspbian.org
 500 http://mirrordirector.raspbian.org/raspbian/ wheezy/contrib armhf Packages
     release v=7.0,o=Raspbian,a=stable,n=wheezy,l=Raspbian,c=contrib
     origin mirrordirector.raspbian.org
 500 http://mirrordirector.raspbian.org/raspbian/ wheezy/main armhf Packages
     release v=7.0,o=Raspbian,a=stable,n=wheezy,l=Raspbian,c=main
     origin mirrordirector.raspbian.org
Pinned packages:

Revision history for this message
Diederik (didi-debian) wrote :

For wheezy I can confirm this. The line has been removed from the Jessie version.

For wheezy, it can be fixed by making it like this:
"origin=Raspbian,codename=wheezy,component=main";

Or just remove the line.

For Jessie it can stay like this or it could be changed to:
"origin=Raspbian,codename=jessie,component=main";

Which can be commented out by default.

Changed in raspbian:
status: New → Confirmed
Revision history for this message
anarcat (anarcat) wrote :
Download full text (6.7 KiB)

simply removing the line does *not* work in jessie:

root@mafalda:/etc/apt/apt.conf.d# unattended-upgrade -d
Initial blacklisted packages:
Starting unattended upgrades script
Allowed origins are: ['o=Raspbian,n=jessie', 'o=Raspbian,a=stable']
matching 'o'='Raspbian' against '<Origin component:'main' archive:'stable' origin:'Raspbian' label:'Raspbian' site:'mirrordirector.raspbian.org' isTrusted:False>'
matching 'n'='jessie' against '<Origin component:'main' archive:'stable' origin:'Raspbian' label:'Raspbian' site:'mirrordirector.raspbian.org' isTrusted:False>'
matching 'o'='Raspbian' against '<Origin component:'main' archive:'stable' origin:'Raspbian' label:'Raspbian' site:'mirrordirector.raspbian.org' isTrusted:False>'
matching 'n'='jessie' against '<Origin component:'main' archive:'stable' origin:'Raspbian' label:'Raspbian' site:'mirrordirector.raspbian.org' isTrusted:False>'
Checking: libssl1.0.0 ([<Origin component:'main' archive:'stable' origin:'Raspbian' label:'Raspbian' site:'mirrordirector.raspbian.org' isTrusted:False>])
matching 'o'='Raspbian' against '<Origin component:'main' archive:'stable' origin:'Raspbian' label:'Raspbian' site:'mirrordirector.raspbian.org' isTrusted:False>'
matching 'n'='jessie' against '<Origin component:'main' archive:'stable' origin:'Raspbian' label:'Raspbian' site:'mirrordirector.raspbian.org' isTrusted:False>'
Checking: openssl ([<Origin component:'main' archive:'stable' origin:'Raspbian' label:'Raspbian' site:'mirrordirector.raspbian.org' isTrusted:False>])
matching 'o'='Raspbian' against '<Origin component:'main' archive:'stable' origin:'Raspbian' label:'Raspbian' site:'mirrordirector.raspbian.org' isTrusted:False>'
matching 'n'='jessie' against '<Origin component:'main' archive:'stable' origin:'Raspbian' label:'Raspbian' site:'mirrordirector.raspbian.org' isTrusted:False>'
pkgs that look like they should be upgraded: libssl1.0.0
openssl
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 0 FileSize: 853124 DestFile:'/var/cache/apt/archives/libssl1.0.0_1.0.1t-1+deb8u5_armhf.deb' DescURI: 'http://mirrordirector.raspbian.org/raspbian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u5_armhf.deb' ID:0 ErrorText: ''>
check_conffile_prompt('/var/cache/apt/archives/libssl1.0.0_1.0.1t-1+deb8u5_armhf.deb')
found pkg: libssl1.0.0
No conffiles in deb '/var/cache/apt/archives/libssl1.0.0_1.0.1t-1+deb8u5_armhf.deb' (There is no member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 0 FileSize: 652428 DestFile:'/var/cache/apt/archives/openssl_1.0.1t-1+deb8u5_armhf.deb' DescURI: 'http://mirrordirector.raspbian.org/raspbian/pool/main/o/openssl/openssl_1.0.1t-1+deb8u5_armhf.deb' ID:0 ErrorText: ''>
check_conffile_prompt('/var/cache/apt/archives/openssl_1.0.1t-1+deb8u5_armhf.deb')
found pkg: openssl
conffile line: '/etc/ssl/openssl.cnf 7df26c55291b33344dc15e3935dabaf3'
current md5: 7df26c55291b33344dc15e3935dabaf3
blacklist: ['libssl1.0.0', 'openssl']
matching 'o'='Raspbian' against '<Origin component:'main' ar...

Read more...

Revision history for this message
anarcat (anarcat) wrote :

i have reported this bug upstream here as well: https://github.com/mvo5/unattended-upgrades/issues/32

Revision history for this message
Balint Reczey (rbalint) wrote :

Stretch based RPI now ships 0.93.1+nmu1 without delta thus I assume upstream is now fixed.

Revision history for this message
Peter Nowee (peter-nowee) wrote :

I upgraded to Raspbian Stretch with unattended-upgrades 0.93.1+nmu1, but still got a non-working config file at /etc/apt/apt.conf.d/50unattended-upgrades. IMO, there are two issues that need to be solved before this will work again:

1. Raspbian's unattended-upgrades packages now supplies the Debian-specific, not the Raspbian-specific config file at /etc/apt/apt.conf.d/50unattended-upgrades. In https://github.com/mvo5/unattended-upgrades/issues/32 , upstream (Debian) says it supplies a Raspbian-specific config file, but Raspbian needs to rebuild the package in order to use that, and that this is something that needs to be solved at Raspbian. Is this Launchpad-bug the correct place to discuss that, or should it be reported elsewhere?

2. The Raspbian-specific config file supplied by upstream currently does not match any packages because it contains `archive=${distro_codename}`, which should be `codename=${distro_codename}`. I submitted a patch for that upstream (Fix Raspbian default config codename matching, https://github.com/mvo5/unattended-upgrades/pull/81).

Pander (pander)
tags: added: jessie stretch wheezy
Revision history for this message
Pander (pander) wrote :

Can someone test if this works properly in buster? If yes, can this bug be closed then?

Revision history for this message
Tim Guan-tin Chien (timdream) wrote :

After installing unattended-upgrades 1.11.2 on buster I am seeing this:

// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "buster")
Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
        // Software will be the latest available for the named release,
        // but the Debian release itself will not be automatically upgraded.
// "origin=Debian,codename=${distro_codename}-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates";
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};

Based on the comment above, this is the desired setting that should work? The 2020-09-13 image is too new to have any pending security updates.

$ sudo unattended-upgrade --dry-run
$ cat /var/log/unattended-upgrades/unattended-upgrades.log
2020-02-17 17:23:12,666 INFO Checking if system is running on battery is skipped. Please install powermgmt-base package to check power status and skip installing updates when the system is running on battery.
2020-02-17 17:23:13,016 INFO Initial blacklist :
2020-02-17 17:23:13,026 INFO Initial whitelist:
2020-02-17 17:23:13,032 INFO Starting unattended upgrades script
2020-02-17 17:23:13,039 INFO Allowed origins are: origin=Debian,codename=buster,label=Debian, origin=Debian,codename=buster,label=Debian-Security
2020-02-17 17:23:35,232 INFO No packages found that can be upgraded unattended and no pending auto-removals

Revision history for this message
Tim Guan-tin Chien (timdream) wrote :

This is different from the config set in the upstream though:

"origin=Raspbian,codename=${distro_codename},label=Raspbian";
"origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";

https://github.com/mvo5/unattended-upgrades/blob/9d63d119b1036b630f4d6fb8f67169244e3c93f0/data/50unattended-upgrades.Raspbian#L38

I am a bit confused on what's the expected configuration here...

Revision history for this message
Peter Nowee (peter-nowee) wrote :

Hmm, then it seems that this bug still affects buster. Upstream
fixed the Raspbian-specific config file, but Raspbian is still
using the Debian-specific config file. Of my earlier comment #5,
item 2 has been solved, but item 1 not yet.

Somehow, the Raspbian unattended-upgrades package needs to be
customized to use the 50unattended-upgrades.Raspbian file, as also
suggested by upstream:
https://github.com/mvo5/unattended-upgrades/issues/32

It is still not clear to me how Raspbian-specific customizations to a
Debian package can be defined or requested in the Raspbian project.
Reading the project FAQ and other documentation, I get the feeling that
with the current infrastructure only the Raspbian maintainers can make
these kinds of changes.

Some other places where this bug has been discussed:
https://raspberrypi.stackexchange.com/questions/72022/configuring-unattended-upgrades-on-raspbian-stretch/74973#74973
https://raspberrypi.stackexchange.com/questions/38931/how-do-i-set-my-raspberry-pi-to-automatically-update-upgrade/102350#102350
https://www.raspberrypi.org/forums/viewtopic.php?f=28&t=255901

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.