unattended-upgrade ignores apt-pinning to not-allowed origins
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| unattended-upgrades (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
unattended-upgrade ignores apt-pinning to not-allowed origins
=======
BUG:
unattended-upgrade notices an upgrade available in NOT-ALLOWED ORIGINS,
but then completely ignores those repositories
even if they contain apt-pinned versions
that are more favorable than versions from allowed origins.
The situation repeats every time there is an upgrade available in an external PPA.
SOLUTION:
unattended-upgrade should not ignore NOT ALLOWED ORIGINS,
but check them for providing more favorable version
and in such case restrain from doing ANY upgrades for such packages.
Instructions for ubuntu lunar 23.04:
-------
0. Upgrade all packages, uninstall Firefox:
$ sudo apt update
$ sudo apt upgrade
$ sudo snap remove firefox
$ sudo apt remove firefox
$ apt-cache policy firefox
firefox:
Installed: (none)
Candidate: 1:1snap1-0ubuntu3
Version table:
500 http://
1. Add mozilla-team Firefox PPA and apt-pin it with priority 1001:
$ echo 'deb https:/
$ sudo apt-key adv --keyserver keyserver.
$ echo -e 'Package: *\nPin: release o=LP-PPA-
$ sudo apt update
$ apt-cache policy firefox
firefox:
Installed: (none)
Candidate: 117.0+build2-
Version table:
500 http://
1001 https:/
2. Install Firefox (from mozilla-team Firefox PPA, as pinned):
$ sudo apt install firefox
$ apt-cache policy firefox
firefox:
Installed: 117.0+build2-
Candidate: 117.0+build2-
Version table:
500 http://
*** 117.0+build2-
1001 https:/
100 /var/lib/
3. SIMULATE AVAILABLE UPGRADE by downgrading Firefox from Mozilla-Team's version for Ubuntu 23.04 to 22.04:
Download .deb. file from Mozilla-Team's PPA:
$ wget $(apt-get download --print-uris firefox | cut -d' ' -f1 | tr -d "'" | sed -E 's/0ubuntu0\
Install it:
$ sudo dpkg -i firefox_
dpkg: warning: downgrading firefox from 117.0+build2-
(Reading database ... 295244 files and directories currently installed.)
Preparing to unpack firefox_
Unpacking firefox (117.0+
Setting up firefox (117.0+
Please restart all running instances of firefox, or you will experience problems.
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for man-db (2.11.2-1) ...
$ apt-cache policy firefox
firefox:
Installed: 117.0+build2-
Candidate: 117.0+build2-
Version table:
500 http://
1001 https:/
*** 117.0+build2-
100 /var/lib/
4. Bug in unattended-upgrade:
Firefox is now at priority 100 ("now").
Firefox snap package is at priority 500.
Mozilla-Team PPA has priority 1001, BUT IS NOT IN UNATTENDED-
BUG: unattended-upgrade upgrades Firefox package to 1:1snap1-0ubuntu3:
$ sudo unattended-upgrade -v
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=lunar, o=Ubuntu,
Initial blacklist:
Initial whitelist (not strict):
Packages that will be upgraded: firefox
Writing dpkg log to /var/log/
Preconfiguring packages ...
Preconfiguring packages ...
(Reading database ... 295244 files and directories currently installed.)
Preparing to unpack .../firefox_
=> Installing the firefox snap
==> Checking connectivity with the snap store
==> Installing the firefox snap
=> Snap installation complete
Unpacking firefox (1:1snap1-0ubuntu3) over (117.0+
dpkg: warning: unable to delete old directory '/etc/firefox': Directory not empty
dpkg: warning: unable to delete old directory '/etc/apport/
Setting up firefox (1:1snap1-0ubuntu3) ...
Removing obsolete conffile /etc/firefox/
Processing triggers for man-db (2.11.2-1) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
All upgrades installed
5. However apt will now (properly) want to downgrade Firefox to the version from PPA:
$ sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# You can verify the status of security fixes using the `pro fix` command.
# E.g., a recent Ruby vulnerability can be checked with: `pro fix USN-6219-1`
# For more detail see: https:/
#
The following packages will be DOWNGRADED:
firefox
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Need to get 59.3 MB of archives.
After this operation, 216 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https:/
Fetched 59.3 MB in 1s (45.4 MB/s)
dpkg: warning: downgrading firefox from 1:1snap1-0ubuntu3 to 117.0+build2-
(Reading database ... 295166 files and directories currently installed.)
Preparing to unpack .../firefox_
Unpacking firefox (117.0+
Setting up firefox (117.0+
Please restart all running instances of firefox, or you will experience problems.
Processing triggers for man-db (2.11.2-1) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
The situation repeats every time there is an upgrade available in an external PPA.
6. Conclusion:
unattended-upgrade should not ignore NOT ALLOWED ORIGINS,
but check them for providing more favorable version
and in such case restrain from doing ANY upgrades for such packages.
WORKAROUND
----------
A. Go back to mozilla-team's 22.04 deb:
$ sudo dpkg -i firefox_
$ sudo snap remove firefox
B. Pin Ubuntu's official version to 1:
$ echo -e 'Package: firefox\nPin: release o=Ubuntu\
$ apt-cache policy firefox
firefox:
Installed: 117.0+build2-
Candidate: 117.0+build2-
Version table:
500 http://
1001 https:/
*** 117.0+build2-
100 /var/lib/
C. Priority 1 < 100, so Firefox will NOT be upgraded to 1:1snap1-0ubuntu3
$ sudo unattended-upgrade -v
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=lunar, o=Ubuntu,
Initial blacklist:
Initial whitelist (not strict):
MarkUpgrade() called on a non-upgradeable pkg: 'firefox'
No packages found that can be upgraded unattended and no pending auto-removals
D. apt will upgrade Firefox to the latest Mozilla-Team version:
$ sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# You can verify the status of security fixes using the `pro fix` command.
# E.g., a recent Ruby vulnerability can be checked with: `pro fix USN-6219-1`
# For more detail see: https:/
#
The following packages will be upgraded:
firefox
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 59.3 MB of archives.
After this operation, 751 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https:/
Fetched 5171 kB in 0s (14.0 MB/s)
(Reading database ... 295244 files and directories currently installed.)
Preparing to unpack .../firefox_
Unpacking firefox (117.0+
Setting up firefox (117.0+
Please restart all running instances of firefox, or you will experience problems.
Processing triggers for man-db (2.11.2-1) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
| description: | updated |
| description: | updated |
| Piotr Henryk Dabrowski (phd) wrote | #7 |
| Changed in unattended-upgrades (Ubuntu): | |
| status: | New → Confirmed |
Bug https:/