Unattended upgrades handles new dependencies inconsistently

Bug #1446552 reported by Sjoerd Job Postmus on 2015-04-21
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unattended-upgrades (Ubuntu)
High
Unassigned
Xenial
Undecided
Unassigned

Bug Description

[Impact]

When an installed package adds a dependency that is not yet installed on the system, this sometimes causes the package to not be installed, depending on the origin containing the original candidate version.

I believe that the problem is in /usr/bin/unattended-upgrade, line 102. Here a check is performed to prevent downgrades. However, as a side effect it also prevents adjusting the candidate version for packages that have not yet been installed (because pkg.is_upgradable is False for packages that have not been installed).

This makes updating private packages using unattended-upgrades troublesome, especially when new dependencies have been added. Currently it requires repackaging the dependencies with a slightly higher version number than what is in the main repository, and then hosting them on the private repository, which is time consuming and error-prone. With the included patch, it is sufficient to just host the same version on the private repository.

[Test Case]

- Create a testing package (doesn't have to really contain anything) that just installs 1 file into /usr/share/testpackage/, and have it depend on some packages.
- Put that package on a private repository (which is also configured for APT and unattended-upgrades)
- Install the package using `apt-get install testingpackage`
- Update the package as follows: 1. Add a dependency which is not yet installed on your machine (and is also not in the security-repository). Up the version number, and add it to the private repository.
- Run `unattended-upgrade --debug --apt-debug 2>&1 | tee output.txt`.
- Verify the package was not updated (missing dependency).
- Host the dependency on your private APT server as well (1-1 copy).
- Run `unattended-upgrade --debug --apt-debug 2>&1 | tee output.txt`.
- Verify the package was not updated (missing dependency).
- Re-build the dependency with a higher version number, and add it to your private APT repository.
- Run `unattended-upgrade --debug --apt-debug 2>&1 | tee output.txt`.
- Verify the package was now upgraded.

With the proposed patch, the upgrade would already succeed after hosting the exact copy on the private APT repository.

[Regression Potential]

The changed code logic now allows adjusting candidates of packages which are not upgradable and not installed. Since the changed check was there to avoid downgrades the possible regression would be somehow enabling downgrades accidentally. Adjusting _not_ installed packages in itself would not cause downgrading installed packages thus the change seems to be safe.

The attachment "also_adjust_candidate_version_for_non_installed_packages.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
tags: added: vivid
Changed in unattended-upgrades (Ubuntu):
status: New → Confirmed
importance: Undecided → High
tags: added: trusty utopic
Brian Murray (brian-murray) wrote :

Do you happen to have an example of a package which I could test this with?

@BrianMurray: Not anymore, unfortunately.

How I originally reproduced it was:

- Create a testing package (doesn't have to really contain anything) that just installs 1 file into /usr/share/testpackage/, and have it depend on some packages.
- Put that package on a private repository (which is also configured for APT and unattended-upgrades)
- Install the package using `apt-get install testingpackage`
- Update the package as follows: 1. Add a dependency which is not yet installed on your machine (and is also not in the security-repository). Up the version number, and add it to the private repository.
- Run `unattended-upgrade --debug --apt-debug 2>&1 | tee output.txt`.
- Verify the package was not updated (missing dependency).
- Host the dependency on your private APT server as well (1-1 copy).
- Run `unattended-upgrade --debug --apt-debug 2>&1 | tee output.txt`.
- Verify the package was not updated (missing dependency).
- Re-build the dependency with a higher version number, and add it to your private APT repository.
- Run `unattended-upgrade --debug --apt-debug 2>&1 | tee output.txt`.
- Verify the package was now upgraded.

With the proposed patch, the upgrade would already succeed after hosting the exact copy on the private APT repository.

If needed I could probably figure out how to reproduce this again, but it would take me quite some time, as I'd have to set-up everything again. Hopefully my description of the case is enough for you to reproduce this.

Let me know if you need my help in reproducing.

no longer affects: unattended-upgrades (Ubuntu Wily)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 0.99ubuntu2

---------------
unattended-upgrades (0.99ubuntu2) bionic; urgency=medium

  * Run upgrade-between-snapshots only on amd64.
    The test exercises only unattented-upgrade's Python code and uses
    dependencies from the frozen Debian snapshot archive thus running
    it on all architectures would provide little benefit.

 -- Balint Reczey <email address hidden> Tue, 13 Feb 2018 11:41:20 +0700

Changed in unattended-upgrades (Ubuntu):
status: Confirmed → Fix Released
Balint Reczey (rbalint) on 2018-12-03
description: updated

Hello Sjoerd, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in unattended-upgrades (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
Łukasz Zemczak (sil2100) wrote :

Hello Sjoerd, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers