Ubuntu
deja-dup package

Deja Dup's Google support will break in September 2022 for versions < 43.3

Bug #1973816 reported by Michael Terry
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
deja-dup (Debian)
New
Unknown
deja-dup (Ubuntu)
Fix Released
High
Sebastien Bacher
Focal
Fix Released
High
Nathan Teodosio
Jammy
Fix Released
Undecided
Unassigned

Bug Description

* Impact

The method Deja-Dup is using to authentificate to google account will stop working in september.

* Test case

Configure deja-dup to do backups on a google drive account. After confirming the authorization through the web browser it should be possible to start the backup.

Check on the webview that the files are correctly added.

Restore some data and ensure that's working.

* Regression potential

The codepath is used for oauth authentification and integration with the system mimetype. Check that the webbrowser auth workflow works as expected, testing deb and snap based browsers

------------------------------------------

Hello! I'm the maintainer of Deja Dup. I was recently made aware that Google is removing an oauth workflow that Deja Dup uses, in September.

Here's their blog post about it: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html

Here's the upstream bug about switching to a new oauth flow: https://gitlab.gnome.org/World/deja-dup/-/issues/222

I've released version 43.3 with a new oauth workflow. This basically switches us from redirecting the oauth page to a local http://localhost:xxxx/ page being served by deja-dup and instead has the browser launch a custom URI like 'com.googlecontent.xxx:/oauth2redirect?code=yyy', which then launches deja-dup and gives it the correct oauth token.

The key differences for packagers is just to note that now deja-dup will register itself as a handler for those weird URI schemes (they are specific to deja-dup, as they include its client ids for the service).

I think this deserves a backport to all supported releases. I can whip up a patch for you in a bit, just wanted to get this registered as an issue.

To be a bit more specific about what will break:
- Existing users that have already granted deja-dup access to Google will continue to work without any issue.
- In August, users will see a warning on the oauth screen.
- And then in September, any new attempt to connect deja-dup to Google will not work.

See original description
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks Michael for the headsup. We will update to 43 for Kinetic now that the LTS is out we plan to go with the current version of the GNOME libraries but backports of the changes to older series would be welcome as we will need to do SRUs.

I think it makes sense for you as an upstream to probably do 42 which is the last GTK3 supported version and it's probably on us to backport to older version as needed.

Changed in deja-dup (Ubuntu):
importance: Undecided → High
assignee: nobody → Sebastien Bacher (seb128)
status: New → Triaged
Revision history for this message
Michael Terry (mterry) wrote (last edit ):

OK, I've made a little wiki page about this issue for distro maintainers (no real new information, but it does have links to patches at the bottom). The patches should cover all affected versions that Ubuntu supports (40.7, 42.8, and 42.9).

https://wiki.gnome.org/Apps/DejaDup/GoogleAuthChange2022

(hmm, how do I make that a link?)

Revision history for this message
Sebastien Bacher (seb128) wrote :

Doh, I forgot to reference the bug in the changelog but I've updated to 43.3 Debian and Ubuntu Kinetic
https://launchpad.net/ubuntu/+source/deja-dup/43.3-1ubuntu1

SRU to come next, I will start with 22.04 to get some more feedback before SRUing to older series

Testing here without a configured account it worked fine to auth to my google account and do a backup and restore

Changed in deja-dup (Ubuntu):
status: Triaged → Fix Released
Sebastien Bacher (seb128)
description: updated
description: updated
Revision history for this message
Michael Terry (mterry) wrote :

Looks like Debian stable is using 42.7 right now - should I file a bug on the Debian side to track that too?

Revision history for this message
Sebastien Bacher (seb128) wrote :

yes please, stable update in Debian require even more paperwork than Ubuntu SRUs and having a bug to reference is part of it :)

Revision history for this message
Michael Terry (mterry) wrote :

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011355

Bug Watch Updater (bug-watch-updater)
Changed in deja-dup (Debian):
status: Unknown → New
Revision history for this message
Robie Basak (racb) wrote :

The fix for this is stuck in kinetic-proposed on a component mismatch, so I'm changing the status to Fix Committed to reflect that. If the upload is pulled from kinetic-proposed then we'll end up with a higher version in Jammy than in Kinetic so I think it's important to correctly note that it hasn't landed yet.

Changed in deja-dup (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Michael, or anyone else affected,

Accepted deja-dup into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/deja-dup/42.9-1ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in deja-dup (Ubuntu):
status: Fix Released → Fix Committed
Revision history for this message
Sebastien Bacher (seb128) wrote :

42.9-1ubuntu3 is working as intended

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for deja-dup has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package deja-dup - 42.9-1ubuntu3

---------------
deja-dup (42.9-1ubuntu3) jammy; urgency=medium

  * debian/patches/git-goauth-deprecation.patch:
    - update the oauth workflow, the local redirection currently used by
      deja-dup is being deprcated by Google and will stop working.
      Thanks Michael Terry providing us backports of the fix!
      (lp: #1973816)

 -- Sebastien Bacher <email address hidden> Fri, 20 May 2022 16:20:58 +0200

Changed in deja-dup (Ubuntu Jammy):
status: Fix Committed → Fix Released
Nathan Teodosio (nteodosio)
Changed in deja-dup (Ubuntu Focal):
status: New → In Progress
Revision history for this message
Nathan Teodosio (nteodosio) wrote :

Here is the SRU for Focal.

I have built it successfully with Pbuilder. I installed the resulting deb and confirmed the program still works as intended: I set up Dejadup with my Google account, made a back-up there, and restored it.

Revision history for this message
Sebastien Bacher (seb128) wrote :

https://launchpad.net/ubuntu/+source/deja-dup/43.3-1ubuntu1

Changed in deja-dup (Ubuntu Focal):
assignee: nobody → Nathan Teodosio (nteodosio)
importance: Undecided → High
status: In Progress → Fix Committed
Changed in deja-dup (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Michael, or anyone else affected,

Accepted deja-dup into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/deja-dup/40.7-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

description: updated
tags: added: verification-needed verification-needed-focal
removed: verification-done
Revision history for this message
Sebastien Bacher (seb128) wrote :

40.7-0ubuntu2 is working as expected, allowing backup to google drive

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package deja-dup - 40.7-0ubuntu2

---------------
deja-dup (40.7-0ubuntu2) focal; urgency=medium

  * debian/patches/git-goauth-deprecation.patch:
    - update the oauth workflow, the local redirection currently used by
      deja-dup is being deprcated by Google and will stop working.
      Thanks Michael Terry for providing us backports of the fix!
      (lp: #1973816)

 -- Nathan Pratta Teodosio <email address hidden> Wed, 08 Jun 2022 08:53:42 -0300

Changed in deja-dup (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.