untrusted packages silently added to blacklist

I think you have to join the 'Ubuntu Branches' team and then update each package.

Also, how did you create this bug? How can we reproduce it?

I discovered this bug while trying to troubleshoot an issue why unattended-upgrades wasn't installing packages on a lucid system.

Running 'unattended-upgrade --debug --dry-run` was showing the packages being added to the blacklist. I eventually discovered having

"APT::Get::AllowUnauthenticated 1;" set in a configuration under /etc/apt.conf.d was causing, for some reason, the packages to not be trusted even thought they were coming from the authenticated "security.ubuntu.com lucid-security" repo. This is potentially another bug I need to file since I'm unsure why that option should cause packages to not be trusted from trusted repos but I haven't dug into where the issue may be yet, possibly libapt?

Status changed to 'Confirmed' because the bug affects multiple users.

It would actually be better to honor the sysadmins instruction and install the untrusted packages rather than adding the packages to the blacklist

--- /usr/bin/unattended-upgrade 2014-04-02 13:52:19.000000000 -0700
+++ /usr/bin/unattended-upgrade.local 2015-01-15 17:26:47.273378190 -0800
@@ -1028,7 +1028,8 @@
                 logging.error("Download finished, but file '%s' not "
                               "there?!?" % item.destfile)
                 sys.exit(1)
- if not item.is_trusted:
+ if not item.is_trusted and not apt_pkg.config.find_b(
+ "APT::Get::AllowUnauthenticated", True):
                 blacklisted_pkgs.append(pkgname_from_deb(item.destfile))
             if conffile_prompt(item.destfile):
                 # skip package (means to re-run the whole marking again

This bug was fixed in the package unattended-upgrades - 1.9

---------------
unattended-upgrades (1.9) unstable; urgency=medium

  [ Julian Andres Klode ]
  * test_dev_release: Fix and enable test.
  * Depend on python3-distro-info.
    This is needed to make sure DEVEL_UNTIL_RELEASE actually works. We need
    to fix up travis in addition to control, as it only knows about trusty
    build dependencies.
  * Import distro_info globally, and fix calculation of days.
    The check was off by one: If you were 21 days away from the release,
    it would not switch on, but tell you that it would not upgrade before
    today.
  * test_dev_release: Test Unattended-Upgrade::DevRelease=auto.

  [ David Lang and Balint Reczey]
  * Allow installing untrusted packages when APT::Get::AllowUnauthenticated
    is set (Closes: #775469) (LP: #1167053)

  [ Hans van Kranenburg and Balint Reczey]
  * Clarify highly misleading Package-Blacklist option documentation
    (Closes: #753892)

  [ Balint Reczey ]
  * test/test_dev_release.py: Fix missing mock attributes
  * Leave the cache clean when returning from calculate_upgradable_pkgs()
    When collecting upgradable packages the upgradable ones stayed in the
    cache and they were upgraded together even when unattended-upgrades
    was configured to perform upgrades in minimal steps.
    Thanks to Paul Wise
  * debian/tests/upgrade-all-security: Check if all security-updates are
    applied and if old-autoremovable packages are kept
  * Clear cache only when needed when checking black- and whitelists
  * Add --no-minimal-upgrade-steps option
  * Stop using untrusted package names as blacklists (LP: #1805447)
  * Update copyright info
  * Load modules lazily loaded by datetime.datetime.strptime() when u-u starts
    When Python is upgraded to a new major version the the version running
    unattended-upgrades can be removed as being newly unused causing a crash.
  * Start service after systemd-logind.service to be able to take inhibition lock
    and handle gracefully when logind is down (LP: #1806487)
  * List packages making reboot required in /var/run/reboot-required.pkgs

 -- Balint Reczey <email address hidden> Wed, 12 Dec 2018 13:41:49 +0100