2019-11-08 16:21:42 |
Adam Conrad |
bug |
|
|
added bug |
2019-11-08 16:30:14 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
2019-11-08 16:32:06 |
Joshua Powers |
bug |
|
|
added subscriber Joshua Powers |
2019-11-08 19:21:45 |
Joshua Powers |
ubuntu-advantage-tools (Ubuntu): status |
New |
Triaged |
|
2019-11-08 19:21:52 |
Joshua Powers |
ubuntu-advantage-tools (Ubuntu): importance |
Undecided |
High |
|
2019-11-08 19:22:21 |
Joshua Powers |
ubuntu-advantage-tools (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
2019-11-08 19:22:30 |
Joshua Powers |
nominated for series |
|
Ubuntu Trusty |
|
2019-11-08 19:22:30 |
Joshua Powers |
bug task added |
|
ubuntu-advantage-tools (Ubuntu Trusty) |
|
2019-11-08 20:03:56 |
Andreas Hasenack |
bug watch added |
|
https://github.com/CanonicalLtd/ubuntu-advantage-client/issues/911 |
|
2019-11-08 20:03:56 |
Andreas Hasenack |
bug task added |
|
ubuntu-advantage-script |
|
2019-11-08 20:04:06 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Trusty): status |
New |
Triaged |
|
2019-11-08 20:04:08 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Trusty): importance |
Undecided |
High |
|
2019-11-08 20:04:11 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Trusty): assignee |
|
Andreas Hasenack (ahasenack) |
|
2019-11-08 20:22:46 |
Bug Watch Updater |
ubuntu-advantage-script: status |
Unknown |
New |
|
2019-11-11 13:02:58 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Trusty): status |
Triaged |
In Progress |
|
2019-11-14 17:47:54 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/ubuntu-advantage-tools/+git/ubuntu-advantage-tools/+merge/375564 |
|
2019-11-14 17:49:07 |
Andreas Hasenack |
description |
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
|
2019-11-14 17:57:41 |
Andreas Hasenack |
description |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
|
2019-11-14 18:02:32 |
Andreas Hasenack |
description |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
|
2019-11-14 18:17:46 |
Andreas Hasenack |
description |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
# Install the current trusty-updates ubuntu-advantage-tools on a non-x86 system (armhf, arm64, ppc64el, or s390x).
$ sudo apt install ubuntu-advantage-tools
# verify that apt-get update is hitting the esm repository:
$ sudo apt-get update | grep esm
Get:1 https://esm.ubuntu.com trusty-infra-security InRelease
Get:2 https://esm.ubuntu.com trusty-infra-updates InRelease
...
# verify that an esm pinning file was installed. Check that esm.ubuntu.com shows up in the apt-cache policy output, and that its pinning is negative:
$ apt-cache policy | grep esm
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main ppc64el Packages
origin esm.ubuntu.com
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main ppc64el Packages
origin esm.ubuntu.com
# upgrade to the ubuntu-advantage-tools package from proposed and repeat the test. apt-get update shouldn't be hitting the ESm repository anymore, and the policy output should be empty as well:
$ sudo apt install ubuntu-advantage-tools # from trusty-proposed
$ apt-get update
<empty>
$ apt-cache policy | grep esm
<empty>
# conversely, on a x86 system, the output should remain the same, i.e., esm should be listed and again with a negative pinning
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
|
2019-11-14 18:28:45 |
Andreas Hasenack |
description |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
# Install the current trusty-updates ubuntu-advantage-tools on a non-x86 system (armhf, arm64, ppc64el, or s390x).
$ sudo apt install ubuntu-advantage-tools
# verify that apt-get update is hitting the esm repository:
$ sudo apt-get update | grep esm
Get:1 https://esm.ubuntu.com trusty-infra-security InRelease
Get:2 https://esm.ubuntu.com trusty-infra-updates InRelease
...
# verify that an esm pinning file was installed. Check that esm.ubuntu.com shows up in the apt-cache policy output, and that its pinning is negative:
$ apt-cache policy | grep esm
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main ppc64el Packages
origin esm.ubuntu.com
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main ppc64el Packages
origin esm.ubuntu.com
# upgrade to the ubuntu-advantage-tools package from proposed and repeat the test. apt-get update shouldn't be hitting the ESm repository anymore, and the policy output should be empty as well:
$ sudo apt install ubuntu-advantage-tools # from trusty-proposed
$ apt-get update
<empty>
$ apt-cache policy | grep esm
<empty>
# conversely, on a x86 system, the output should remain the same, i.e., esm should be listed and again with a negative pinning
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
# Install the current trusty-updates ubuntu-advantage-tools on a non-x86 system (armhf, arm64, ppc64el, or s390x).
$ sudo apt install ubuntu-advantage-tools
# verify that apt-get update is hitting the esm repository:
$ sudo apt-get update | grep esm
Get:1 https://esm.ubuntu.com trusty-infra-security InRelease
Get:2 https://esm.ubuntu.com trusty-infra-updates InRelease
...
# verify that an esm pinning file was installed. Check that esm.ubuntu.com shows up in the apt-cache policy output, and that its pinning is negative:
$ apt-cache policy | grep esm
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main ppc64el Packages
origin esm.ubuntu.com
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main ppc64el Packages
origin esm.ubuntu.com
# upgrade to the ubuntu-advantage-tools package from proposed and repeat the test. apt-get update shouldn't be hitting the ESm repository anymore, and the policy output should be empty as well:
$ sudo apt install ubuntu-advantage-tools # from trusty-proposed
$ apt-get update
<empty>
$ apt-cache policy | grep esm
<empty>
# conversely, on a x86 system, the output should remain the same, i.e., esm should be listed and again with a negative pinning
[Regression Potential]
TBD
[Other Info]
TBD
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
|
2019-11-14 18:39:10 |
Andreas Hasenack |
description |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
# Install the current trusty-updates ubuntu-advantage-tools on a non-x86 system (armhf, arm64, ppc64el, or s390x).
$ sudo apt install ubuntu-advantage-tools
# verify that apt-get update is hitting the esm repository:
$ sudo apt-get update | grep esm
Get:1 https://esm.ubuntu.com trusty-infra-security InRelease
Get:2 https://esm.ubuntu.com trusty-infra-updates InRelease
...
# verify that an esm pinning file was installed. Check that esm.ubuntu.com shows up in the apt-cache policy output, and that its pinning is negative:
$ apt-cache policy | grep esm
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main ppc64el Packages
origin esm.ubuntu.com
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main ppc64el Packages
origin esm.ubuntu.com
# upgrade to the ubuntu-advantage-tools package from proposed and repeat the test. apt-get update shouldn't be hitting the ESm repository anymore, and the policy output should be empty as well:
$ sudo apt install ubuntu-advantage-tools # from trusty-proposed
$ apt-get update
<empty>
$ apt-cache policy | grep esm
<empty>
# conversely, on a x86 system, the output should remain the same, i.e., esm should be listed and again with a negative pinning
[Regression Potential]
TBD
[Other Info]
TBD
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
# Install the current trusty-updates ubuntu-advantage-tools on a non-x86 system (armhf, arm64, ppc64el, or s390x).
$ sudo apt install ubuntu-advantage-tools
# verify that apt-get update is hitting the esm repository:
$ sudo apt-get update | grep esm
Get:1 https://esm.ubuntu.com trusty-infra-security InRelease
Get:2 https://esm.ubuntu.com trusty-infra-updates InRelease
...
# verify that an esm pinning file was installed. Check that esm.ubuntu.com shows up in the apt-cache policy output, and that its pinning is negative:
$ apt-cache policy | grep esm
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main ppc64el Packages
origin esm.ubuntu.com
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main ppc64el Packages
origin esm.ubuntu.com
# upgrade to the ubuntu-advantage-tools package from proposed and repeat the test. apt-get update shouldn't be hitting the ESm repository anymore, and the policy output should be empty as well:
$ sudo apt install ubuntu-advantage-tools # from trusty-proposed
$ apt-get update
<empty>
$ apt-cache policy | grep esm
<empty>
# conversely, on a x86 system, the output should remain the same, i.e., esm should be listed and again with a negative pinning
[Regression Potential]
The logic relies on architecture names returned by `dpkg --print-architecture`. It there is a change in its output, or some other bug, we could be disabling (or enabling) the esm repository where we shouldn't.
[Other Info]
The knowledge about which architectures are supported is now statically stored in the package, which is a bit unfortunate. The final authority is the contract server, and the actual esm repository. This information is sent to the client, but we are not making a network call in postinst to verify that. One reason being that the launchpad builders and DEP8 runners block such egress traffic.
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
|
2019-11-14 19:00:33 |
Andreas Hasenack |
description |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
# Install the current trusty-updates ubuntu-advantage-tools on a non-x86 system (armhf, arm64, ppc64el, or s390x).
$ sudo apt install ubuntu-advantage-tools
# verify that apt-get update is hitting the esm repository:
$ sudo apt-get update | grep esm
Get:1 https://esm.ubuntu.com trusty-infra-security InRelease
Get:2 https://esm.ubuntu.com trusty-infra-updates InRelease
...
# verify that an esm pinning file was installed. Check that esm.ubuntu.com shows up in the apt-cache policy output, and that its pinning is negative:
$ apt-cache policy | grep esm
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main ppc64el Packages
origin esm.ubuntu.com
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main ppc64el Packages
origin esm.ubuntu.com
# upgrade to the ubuntu-advantage-tools package from proposed and repeat the test. apt-get update shouldn't be hitting the ESm repository anymore, and the policy output should be empty as well:
$ sudo apt install ubuntu-advantage-tools # from trusty-proposed
$ apt-get update
<empty>
$ apt-cache policy | grep esm
<empty>
# conversely, on a x86 system, the output should remain the same, i.e., esm should be listed and again with a negative pinning
[Regression Potential]
The logic relies on architecture names returned by `dpkg --print-architecture`. It there is a change in its output, or some other bug, we could be disabling (or enabling) the esm repository where we shouldn't.
[Other Info]
The knowledge about which architectures are supported is now statically stored in the package, which is a bit unfortunate. The final authority is the contract server, and the actual esm repository. This information is sent to the client, but we are not making a network call in postinst to verify that. One reason being that the launchpad builders and DEP8 runners block such egress traffic.
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
# Install the current trusty-updates ubuntu-advantage-tools on a non-x86 system (armhf, arm64, ppc64el, or s390x).
$ sudo apt install ubuntu-advantage-tools
# verify that apt-get update is hitting the esm repository:
$ sudo apt-get update | grep esm
Get:1 https://esm.ubuntu.com trusty-infra-security InRelease
Get:2 https://esm.ubuntu.com trusty-infra-updates InRelease
...
# verify that an esm pinning file was installed. Check that esm.ubuntu.com shows up in the apt-cache policy output, and that its pinning is negative:
$ apt-cache policy | grep esm
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main ppc64el Packages
origin esm.ubuntu.com
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main ppc64el Packages
origin esm.ubuntu.com
# upgrade to the ubuntu-advantage-tools package from proposed and repeat the test. apt-get update shouldn't be hitting the ESm repository anymore, and the policy output should be empty as well:
$ sudo apt install ubuntu-advantage-tools # from trusty-proposed
$ apt-get update
<empty>
$ apt-cache policy | grep esm
<empty>
# conversely, on a x86 system, the output should remain the same, i.e., esm should be listed and again with a negative pinning
[Regression Potential]
The logic relies on architecture names returned by `dpkg --print-architecture`. It there is a change in its output, or some other bug, we could be disabling (or enabling) the esm repository where we shouldn't.
[Other Info]
The knowledge about which architectures are supported is now statically stored in the package, which is a bit unfortunate. The final authority is the contract server, and the actual esm repository. This information is sent to the client, but we are not making a network call in postinst to verify that. One reason being that the launchpad builders and DEP8 runners block such egress traffic.
If esm-infra was already enabled before applying the update, it will become disabled on non-x86 architectures. Since there are no non-x86 ESM updates available, this is just reflecting the truth about the support.
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
|
2019-11-19 03:32:27 |
Bug Watch Updater |
ubuntu-advantage-script: status |
New |
Fix Released |
|
2019-11-26 21:44:06 |
Steve Langasek |
ubuntu-advantage-tools (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2019-11-26 21:44:08 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-11-26 21:44:11 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2019-11-26 21:44:15 |
Steve Langasek |
tags |
|
verification-needed verification-needed-trusty |
|
2019-11-27 13:34:47 |
Andreas Hasenack |
description |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
# Install the current trusty-updates ubuntu-advantage-tools on a non-x86 system (armhf, arm64, ppc64el, or s390x).
$ sudo apt install ubuntu-advantage-tools
# verify that apt-get update is hitting the esm repository:
$ sudo apt-get update | grep esm
Get:1 https://esm.ubuntu.com trusty-infra-security InRelease
Get:2 https://esm.ubuntu.com trusty-infra-updates InRelease
...
# verify that an esm pinning file was installed. Check that esm.ubuntu.com shows up in the apt-cache policy output, and that its pinning is negative:
$ apt-cache policy | grep esm
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main ppc64el Packages
origin esm.ubuntu.com
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main ppc64el Packages
origin esm.ubuntu.com
# upgrade to the ubuntu-advantage-tools package from proposed and repeat the test. apt-get update shouldn't be hitting the ESm repository anymore, and the policy output should be empty as well:
$ sudo apt install ubuntu-advantage-tools # from trusty-proposed
$ apt-get update
<empty>
$ apt-cache policy | grep esm
<empty>
# conversely, on a x86 system, the output should remain the same, i.e., esm should be listed and again with a negative pinning
[Regression Potential]
The logic relies on architecture names returned by `dpkg --print-architecture`. It there is a change in its output, or some other bug, we could be disabling (or enabling) the esm repository where we shouldn't.
[Other Info]
The knowledge about which architectures are supported is now statically stored in the package, which is a bit unfortunate. The final authority is the contract server, and the actual esm repository. This information is sent to the client, but we are not making a network call in postinst to verify that. One reason being that the launchpad builders and DEP8 runners block such egress traffic.
If esm-infra was already enabled before applying the update, it will become disabled on non-x86 architectures. Since there are no non-x86 ESM updates available, this is just reflecting the truth about the support.
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
# Install the current trusty-updates ubuntu-advantage-tools on a non-x86 system (armhf, arm64, ppc64el, or s390x).
$ sudo apt install ubuntu-advantage-tools
# verify that apt-get update is hitting the esm repository:
$ sudo apt-get update | grep esm
Get:1 https://esm.ubuntu.com trusty-infra-security InRelease
Get:2 https://esm.ubuntu.com trusty-infra-updates InRelease
...
# verify that an esm pinning file was installed. Check that esm.ubuntu.com shows up in the apt-cache policy output, and that its pinning is negative:
$ apt-cache policy | grep esm
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main ppc64el Packages
origin esm.ubuntu.com
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main ppc64el Packages
origin esm.ubuntu.com
# upgrade to the ubuntu-advantage-tools package from proposed and repeat the test. apt-get update shouldn't be hitting the ESm repository anymore, and the policy output should be empty as well:
$ sudo apt install ubuntu-advantage-tools # from trusty-proposed
$ apt-get update | grep esm
<empty>
$ apt-cache policy | grep esm
<empty>
# conversely, on a x86 system, the output should remain the same, i.e., esm should be listed and again with a negative pinning
[Regression Potential]
The logic relies on architecture names returned by `dpkg --print-architecture`. It there is a change in its output, or some other bug, we could be disabling (or enabling) the esm repository where we shouldn't.
[Other Info]
The knowledge about which architectures are supported is now statically stored in the package, which is a bit unfortunate. The final authority is the contract server, and the actual esm repository. This information is sent to the client, but we are not making a network call in postinst to verify that. One reason being that the launchpad builders and DEP8 runners block such egress traffic.
If esm-infra was already enabled before applying the update, it will become disabled on non-x86 architectures. Since there are no non-x86 ESM updates available, this is just reflecting the truth about the support.
[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86. |
|
2019-11-27 14:01:02 |
Andreas Hasenack |
tags |
verification-needed verification-needed-trusty |
verification-done-trusty verification-needed |
|
2020-01-10 16:57:14 |
Chad Smith |
tags |
verification-done-trusty verification-needed |
verification-done verification-done-trusty |
|
2020-01-14 23:41:33 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2020-01-14 23:45:23 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2020-01-15 02:38:28 |
Chad Smith |
ubuntu-advantage-tools (Ubuntu): status |
Triaged |
Fix Committed |
|
2020-02-28 12:26:45 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu): status |
Fix Committed |
Fix Released |
|