unatttended-upgrades 0.92ubuntu3 installs all updates but update-manager is set to only install security automatically on development release

Bug #1649709 reported by Jeremy Bicha on 2016-12-13
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
unattended-upgrades (Ubuntu)
Medium
Brian Murray

Bug Description

I opened my Zesty virtual machine in VirtualBox to manually install updates.

I was surprised to see that unattended-upgrades was running and installed all the updates for me.

update-manager is set to the default settings:
- Download and install security updates automatically
- Display other updates weekly

I assume this is a regression caused by the fix for bug 1624641.

Allowed origins are: ['o=Ubuntu,a=zesty', 'o=Ubuntu,a=zesty-security']

And obviously zesty-security isn't open yet.

ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: unattended-upgrades 0.93.1
ProcVersionSignature: Ubuntu 4.8.0-30.32-generic 4.8.6
Uname: Linux 4.8.0-30-generic x86_64
ApportVersion: 2.20.3-0ubuntu8
Architecture: amd64
CurrentDesktop: GNOME
Date: Tue Dec 13 17:26:22 2016
InstallationDate: Installed on 2016-10-27 (47 days ago)
InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20161027)
PackageArchitecture: all
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: unattended-upgrades
UpgradeStatus: No upgrade log present (probably fresh install)

Jeremy Bicha (jbicha) wrote :
Jeremy Bicha (jbicha) wrote :
Jeremy Bicha (jbicha) on 2016-12-13
description: updated
Jeremy Bicha (jbicha) wrote :

I tested this on yakkety and on yakkety it appears to do the right thing. My guess it that it's confused when the security pocket is empty?

Changed in unattended-upgrades (Ubuntu):
assignee: nobody → Brian Murray (brian-murray)
milestone: none → ubuntu-17.01

I just ran into this on my KDE Neon system when I noticed this morning that a full upgrade of the neon packages was running that I hadn't triggered myself.

From what I can tell, adding "${distro_id}:${distro_codename}" to /etc/apt/apt.conf.d/50unattended-upgrades has the effect of enabling unattended updates for any changes to the main release archive (xenial, in this case).

In the context of a released distro like xenial or yakkety, this works because there are few if any changes to the main archive. But in the case of Zesty, which is presumably under heavy development, changes *are* being made to the main archive, so those updates are being applied.

So I don't think unattended-upgrades is confused - it's doing exactly what the configuration tells it to do: install updates either from the main repository or -security. This doesn't happen in xenial or yakkety simply because there are no updates in the main repo to apply.

That's my guess, anyway, based on my quick crash-course in unattended-upgrades. :-)

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unattended-upgrades (Ubuntu):
status: New → Confirmed
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1649709

tags: added: iso-testing
Jeremy Bicha (jbicha) on 2017-05-15
Changed in unattended-upgrades (Ubuntu):
importance: Undecided → Medium
Changed in unattended-upgrades (Ubuntu):
milestone: ubuntu-17.01 → ubuntu-17.05
Changed in unattended-upgrades (Ubuntu):
status: Confirmed → In Progress
Brian Murray (brian-murray) wrote :

I've added a new config option to 50uanattended-upgrades which will by default prevent the development release of Ubuntu from being upgraded.

// This option will controls whether the development release of Ubuntu will be
// upgraded automatically.
Unattended-Upgrade::DevRelease "false";

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 0.93.1ubuntu6

---------------
unattended-upgrades (0.93.1ubuntu6) artful; urgency=medium

  * unattended-upgrades: Do not automatically upgrade the development release
    of Ubuntu unless Unattended-Upgrade::DevRelease is true. (LP: #1649709)

 -- Brian Murray <email address hidden> Wed, 17 May 2017 16:28:32 -0700

Changed in unattended-upgrades (Ubuntu):
status: In Progress → Fix Released
Balint Reczey (rbalint) wrote :

I think this is not really a bug.

> update-manager is set to the default settings:
> - Download and install security updates automatically
> - Display other updates weekly
>
> I assume this is a regression caused by the fix for bug 1624641.
>
> Allowed origins are: ['o=Ubuntu,a=zesty', 'o=Ubuntu,a=zesty-security']
>
> And obviously zesty-security isn't open yet.

The default settings are confusing in this case since zesty-security is not open thus security-updates can't be separated from the rest of updates in zesty during the development period.

If one does not want to run unattended-upgrade on a system running development release the package can simply be removed.

Balint Reczey (rbalint) wrote :

So I agree with Terry's comment.

Balint Reczey (rbalint) on 2017-08-01
summary: unatttended-upgrades 0.92ubuntu3 installs all updates but update-manager
- is set to only install security automatically
+ is set to only install security automatically on development release
Dimitri John Ledkov (xnox) wrote :

Stable releases have frozen release suite (e.g. "xenial") and all package changes land in pocket suites - "xenial-updates", "xenial-security".

During development of a series, the pocket suites are not in use, and the release suite e.g. "artful" today is the one where all the changes land.

Not upgrading people in devel suite, creates a limbo state where people are stuck on a snapshot of a devel release which is not supported at all. And get a massive dist-upgrade on release date, when it's no longer a dev-series. Also, how would one get the update to unmark oneself to no longer be a dev-series, if u-a is not doing anything?

I think we need to revert this change, and mark it as won't fix. There is no security support for devel series, and pretending that we install security only updates on devel series is silly.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers