ubuntu-security-status shouldn't display information about ESM for Apps

Suffice it to say, I don't think there's a bug here in update-manager. You are thinking about ESM Infra, while this is about ESM Apps, which has not yet been properly announced, afaict.

So, I'm closing this bug report, and suggest that discussion continues on Discourse. Do note that we are on break until January 4.

For the record, updates are available in ESM Apps for

+=====================================+=======================================+
| Package | Version |
+-------------------------------------+---------------------------------------+
| ant | 1.10.7-1ubuntu0.1~esm1 |
| ant-doc | 1.10.7-1ubuntu0.1~esm1 |
| ant-optional | 1.10.7-1ubuntu0.1~esm1 |
| axel | 2.17.5-1ubuntu1+esm1 |
| ffmpeg | 7:4.2.4-1ubuntu0.1+esm1 |
| ffmpeg-doc | 7:4.2.4-1ubuntu0.1+esm1 |
| glances | 3.1.3-1ubuntu0.1~esm1 |
| glances-doc | 3.1.3-1ubuntu0.1~esm1 |
| graphicsmagick | 1.4+really1.3.35-1ubuntu0.1~esm1 |
| graphicsmagick-dbg | 1.4+really1.3.35-1ubuntu0.1~esm1 |
| graphicsmagick-imagemagick-compat | 1.4+really1.3.35-1ubuntu0.1~esm1 |
| graphicsmagick-libmagick-dev-compat | 1.4+really1.3.35-1ubuntu0.1~esm1 |
| hello | 2.10-2ubuntu3~esm1 |
| inetutils-ftp | 2:1.9.4-11ubuntu0.1+esm1 |
| inetutils-ftpd | 2:1.9.4-11ubuntu0.1+esm1 |
| inetutils-inetd | 2:1.9.4-11ubuntu0.1+esm1 |
| inetutils-ping | 2:1.9.4-11ubuntu0.1+esm1 |
| inetutils-syslogd | 2:1.9.4-11ubuntu0.1+esm1 |
| inetutils-talk | 2:1.9.4-11ubuntu0.1+esm1 |
| inetutils-talkd | 2:1.9.4-11ubuntu0.1+esm1 |
| inetutils-telnet | 2:1.9.4-11ubuntu0.1+esm1 |
| inetutils-telnetd | 2:1.9.4-11ubuntu0.1+esm1 |
| inetutils-tools | 2:1.9.4-11ubuntu0.1+esm1 |
| inetutils-traceroute | 2:1.9.4-11ubuntu0.1+esm1 |
| libavcodec-dev | 7:4.2.4-1ubuntu0.1+esm1 |
| libavcodec-extra | 7:4.2.4-1ubuntu0.1+esm1 |
| libavcodec-extra58 | 7:4.2.4-1ubuntu0.1+esm1 |
| libavcodec58 | 7:4.2.4-1ubuntu0.1+esm1 |
| libavdevice-dev | 7:4.2.4-1ubuntu0.1+esm1 |
| libavdevice58 | 7:4.2.4-1ubuntu0.1+esm1 |
| libavfilter-dev | 7:4.2.4-1ubuntu0.1+esm1 |
| libavfilter-extra | 7:4.2.4-1ubuntu0.1+esm1 |
| libavfilter-extra7 | 7:4.2.4-1ubuntu0.1+esm1 |
| libavfilter7 | 7:4.2.4-1ubuntu0.1+esm1 |
| libavformat-dev | 7:4.2.4-1ubuntu0.1+esm1 |
| libavformat58 | 7:4.2.4-1ubuntu0.1+esm1 |
| libavresample-dev ...

Julian, how can the end-user tell the difference between ESM Infra and ESM Apps, if the latter hasn't been properly announced yet?

I am now myself confused as to why ESM (Infra or Apps) would be enabled at all on an LTS release that hasn't reached its EOL yet (we're talking about 20.04 here).

Perhaps this becomes clearer when ESM Apps is announced, but for now I wouldn't dismiss so promptly a request to clarify the message issued by ubuntu-security-status. Continuing the conversation on discourse sounds good to me.

Unfortunately, until [re]solved, several people are suspecting that there is a security hole here.

Hello everyone.

In Ubuntu Advantage Client, as of now, `ua security-status` is showing ESM-Apps information only if it is enabled on the machine while the service is beta.

This patch does the same for `ubuntu-security-status`: it will only show ESM-Apps related information if:
- The user has enabled esm-apps through UA, or
- ESM Apps gets released and we remove the `beta` flag on the UA side.

Please let me know if this suffices and/or if there is anything else we could help with.

I think your patch is helpful, Renan :-)

I will ask at the Ubuntu Forum thread,

https://ubuntuforums.org/showthread.php?t=2466660&page=3&p=14075403#post14075403

if the people there agree that this suffices.

@Renan, thanks. Maybe you could do a merge request for it, the vcs is on https://code.launchpad.net/update-manager

The attachment "esmapps.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

I've uploaded this for Jammy and Focal, thanks for the patch!

Here is a script to test this patch against this bug.
The script runs on Focal because today there is no ESM-Apps availability for Jammy, but there is no series-specific behavior and it shall work the same.

Output of the aforementioned test

Having "1 packages" in the output is unfortunate.

Looking at output.txt why does it say "1 are receiving security updates with ESM Apps..." and then talk about enabling it?

---------------ENABLING ESM-APPS RELATED TEXT------------
565 packages installed, of which:
564 receive package updates with LTS until 4/2025
  1 are receiving security updates with ESM Apps until 4/2030

Enable Extended Security Maintenance (ESM Apps) to get 0 security
updates (so far) and enable coverage of 1 packages.

Enable ESM Apps with: ua enable esm-apps
---------------------------------------------------------

This bug was fixed in the package update-manager - 1:22.04.5

---------------
update-manager (1:22.04.5) jammy; urgency=medium

  * ubuntu-security-status: Check if ESM for Apps is enabled or if it is not
    in beta before displaying information about the packages available from
    there. (LP: #1955471)

 -- Brian Murray <email address hidden> Fri, 14 Jan 2022 10:18:30 -0800

About the messages:
- The plurals are exactly as before, I didn't touch them, but I do agree that it can be improved. `1 are` could also be fixed.
- The upper message is telling that the package is covered by ESM-Apps, and receive security updates through ESM-Apps. The second part of the message tells you to enable it to get those updates.

If you want, I can send another small patch fixing these messages

If a package is covered by ESM-Apps but you don't have it enabled then I'd expect the message to be "1 could receive security updates with ESM Apps".

I found it: there is a bug there for this message, because `esm_enabled` is considering only esm-infra and not esm-apps.

This patch fixes it, and improves pluralization of the messages.

Here is an improved version of the test script, considering a couple more scenarios to show the singulars and plurals. There is also an output of a run, applying this patch after the previous one, and using a valid token for UA Apps.

I've uploaded the new changes for Jammy and Focal.

Hello sudodus, or anyone else affected,

Accepted update-manager into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/update-manager/1:20.04.10.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I repeated the same tests above, changing the script to use the package in `-proposed` instead of directly applying the patches.
As can be seen in the output, all the messages match the expected for each case, just like before.

The verification of the Stable Release Update for update-manager has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package update-manager - 1:20.04.10.10

---------------
update-manager (1:20.04.10.10) focal; urgency=medium

  * ubuntu-security-status: Check if ESM for Apps is enabled or if it is not
    in beta before displaying information about the packages available from
    there. Additionally, improve pluralization in a couple of locations.
    (LP: #1955471)

 -- Brian Murray <email address hidden> Fri, 14 Jan 2022 10:28:42 -0800

got this message today on a 20.04

4:19 $ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following security updates require Ubuntu Pro with 'esm-apps' enabled:
  libgraphicsmagick-q16-3 libmagick++-6.q16-8 libimage-magick-perl
  libmagickcore-6.q16-6-extra libimage-magick-q16-perl imagemagick
  libgegl-0.4-0 lynx-common libzmq5 python2.7-minimal libmagickwand-6.q16-6
  libgegl-common python2.7 python3-rsa lynx imagemagick-6.q16 libjs-jquery-ui
  libopenexr24 libsdl2-2.0-0 libsdl2-2.0-0 libmysofa1 libmagickcore-6.q16-6
  glances libpython2.7-minimal libpython2.7-stdlib imagemagick-6-common
Learn more about Ubuntu Pro at https://ubuntu.com/pro
The following packages will be upgraded:
  libsmbclient libwbclient0 python3-samba samba-common samba-common-bin samba-dsdb-modules samba-libs smbclient

14:19 $ date
Fri 27 Jan 2023 02:21:47 PM EST

14:21 $ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"

Can confirm that I get the same message on Ubuntu 20.04.5 LTS, while it should still be supported until 2025 without the need for ESM.