[trusty] policy not always initialized when building depcache

Bug #1847496 reported by Julian Andres Klode on 2019-10-09
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Debian)
Fix Released
Unknown
apt (Ubuntu)
Medium
Unassigned
Trusty
Medium
Unassigned

Bug Description

[Impact]
apt in trusty does not always initialize the policy before constructing the depcache. This means that if you access the depcache, it does not respect pinning when calculating upgrades.

This is not a general problem - according to current knowledge, it only affects apt list. It does affect any code that requests a depCache from pkgCacheFile without having explicitly build caches, or explicitly initialized policy (which other parts of apt do).

[Test case]

1. Add deb https://esm.ubuntu.com/ubuntu/ trusty-infra-security main to sources.list
2. Pin it down

Package: *
Pin: release trusty-infra-security
Pin-Priority: -1

3. Look at apt list apport

Currently it shows:

apport/trusty-updates,trusty-security,now 2.14.1-0ubuntu3.29 all [installed,upgradable to: 2.14.1-0ubuntu3.29]

because when calculating whether the package is upgradable, it did not see the pinning.

Correct would be:

apport/trusty-updates,trusty-security,now 2.14.1-0ubuntu3.29 all [installed]

[Regression potential]
Behavior of code that only initializes depcache, but not policy will change. For example, pinning will be applied in such code (as it is in later versions, and should be). This adds some more error cases as well, such as parsing failures for preferences files.

Julian Andres Klode (juliank) wrote :
Changed in apt (Ubuntu Trusty):
status: New → Triaged
Changed in apt (Ubuntu):
status: New → Invalid
Changed in apt (Ubuntu Trusty):
importance: Undecided → Medium
Changed in apt (Ubuntu Trusty):
status: Triaged → In Progress
tags: added: id-5d9e47ddb1dcee0e7664e479

Hello Julian, or anyone else affected,

Accepted apt into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.0.1ubuntu2.24 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apt (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-trusty

All autopkgtests for the newly accepted apt (1.0.1ubuntu2.24) for trusty have finished running.
The following regressions have been reported in tests triggered by the package:

apt/1.0.1ubuntu2.24 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/trusty/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Julian Andres Klode (juliank) wrote :

Verified OK

root@t:~# apt list apport
Listing... Done
apport/trusty-updates,trusty-security,now 2.14.1-0ubuntu3.29 all [installed,upgradable to: 2.14.1-0ubuntu3.29]
root@t:~# apt install libapt-pkg4.12
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libfreetype6 os-prober
Use 'apt-get autoremove' to remove them.
The following packages will be upgraded:
  libapt-pkg4.12
1 upgraded, 0 newly installed, 0 to remove and 8 not upgraded.
Need to get 646 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main libapt-pkg4.12 amd64 1.0.1ubuntu2.24 [646 kB]
Fetched 646 kB in 0s (2692 kB/s)
(Reading database ... 25111 files and directories currently installed.)
Preparing to unpack .../libapt-pkg4.12_1.0.1ubuntu2.24_amd64.deb ...
Unpacking libapt-pkg4.12:amd64 (1.0.1ubuntu2.24) over (1.0.1ubuntu2.23) ...
Setting up libapt-pkg4.12:amd64 (1.0.1ubuntu2.24) ...
Processing triggers for libc-bin (2.19-0ubuntu6.15) ...
root@t:~# apt list apport
Listing... Done
apport/trusty-updates,trusty-security,now 2.14.1-0ubuntu3.29 all [installed]

tags: added: verification-done verification-done-trusty
removed: verification-needed verification-needed-trusty
Julian Andres Klode (juliank) wrote :

The tests on armhf timed out, but the others all passed; I retried the armhf ones, but not sure if they won't time out again.

Julian Andres Klode (juliank) wrote :

It passed!

Mathew Hodson (mathew-hodson) wrote :

Already fixed upstream and in Ubuntu since Utopic.

Changed in apt (Ubuntu):
importance: Undecided → Medium
status: Invalid → Fix Released
Changed in apt (Debian):
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.0.1ubuntu2.24

---------------
apt (1.0.1ubuntu2.24) trusty; urgency=medium

  [ Michael Vogt ]
  * Ensure we have a Policy in CacheFile.BuildDepCache() (LP: #1847496)

 -- Julian Andres Klode <email address hidden> Thu, 10 Oct 2019 11:24:58 +0200

Changed in apt (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for apt has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.