update manager tries to download stale files?

Bug #420009 reported by Dan Kegel on 2009-08-27
This bug affects 3 people
Affects Status Importance Assigned to Milestone
update-manager (Ubuntu)

Bug Description

Binary package hint: update-manager

An ubuntu-9.04 system that had been turned off for a couple weeks
was turned on today, and Update Manager asked to update a
bunch of packages. It encountered the following error:

W: Failed to fetch
 404 Not Found [IP: 80]

Presumably this system had done an apt-get update, but been
shut down before actually installing the available updates, and
when the system came back up, the update manager tried to get that package,
but failed because that package is now obsolete, having been replaced with
a newer one several weeks ago.

This seems like it wouldn't happen with packages provided directly by
Ubuntu, since old packages are rarely removed from their repo;
it's specific to third party repositories which are rapidly updated
and where obsolete packages are routinely removed from the repo.
It might also happen with Ubuntu alpha releases; I think they
remove buggy packages from the repo if they cause problems.

It seems that update-manager should do an apt-get update to
get a fresh list of packages before trying to do the install.

Running outdated packages can widen the window of vulnerability,
so this is a security problem.

Dan Kegel (dank) on 2009-08-27
visibility: private → public
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no
to be removed (liw) wrote :

This does happen to regular Ubuntu archives as well, during the development phase. For a released version iti is obviously rare.

However, since doing an "apt-get update" can be heavy, especially on slower machines, it's not necessarily a good idea to do it always before installing upgrades. I'd say that the mechanisms we have in place of keeping the packge lists up to date daily should take of the security aspect.

It might help if the dialog saying packages couldn't be downloaded would warn about package lists being up to date. Or the upgrade action could the dates of the updates and warn if they're older than a day or two.

Changed in update-manager (Ubuntu):
status: New → Triaged
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers