Showing esm update as installable when esm is disabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
update-notifier (Ubuntu) |
Fix Released
|
High
|
Chad Smith | ||
Xenial |
Fix Released
|
High
|
Lucas Albuquerque Medeiros de Moura | ||
Bionic |
Fix Released
|
High
|
Lucas Albuquerque Medeiros de Moura | ||
Focal |
Fix Released
|
High
|
Lucas Albuquerque Medeiros de Moura | ||
Groovy |
Won't Fix
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
High
|
Chad Smith | ||
Impish |
Fix Released
|
High
|
Chad Smith |
Bug Description
[Impact]
when users are getting the message update-notifier message through apt-check they may find inconsistent behavior regarding ESM products. This is misleading since we will say to the users that they don't have ESM Infra, but they do have ESM infra packages that can be installed. This is poor marketing of our products
[Test case]
To reproduce the issue, you can:
1. Launch the following old version of a xenial container:
lxc launch ubuntu:
2. Run apt update and install the updated version of update-
3. Add the ubuntu-
https:/
4. Install ubuntu-
5. Install the latest version of uaclient from the stable ppa:
https:/
6. Comment out all mentions of xenial-security in /etc/apt/
7. Run apt update
8. Run /usr/lib/
9. See a message like this:
UA Infra: Extended Security Maintenance (ESM) is not enabled.
256 packages can be updated.
5 of these updates are fixed through UA Infra: ESM.
5 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Enable UA Infra: ESM to receive 5 additional security updates.
See https:/
To verify that the error is fixed:
1.Perform all the stages above until step 8
2 Install the new update-notifier from this ppa:
https:/
3. Run /usr/lib/
4. See a message like this:
256 updates can be installed immediately.
5 of these updates are security updates.
To see these additional updates run: apt list --upgradable
5. We are now only showing ESM infra specific message if the distro is ESM. To enforce that behavior, make the `is_esm_distro` function in `/usr/lub/
UA Infra: Extended Security Maintenance (ESM) is not enabled.
256 updates can be installed immediately.
5 of these updates are security updates.
To see these additional updates run: apt list --upgradable
5 additional security updates can be applied with UA Infra: ESM
Learn more about enabling UA Infra: ESM service at https:/
That is now correct.
[Where problems could occur]
The changes in this package should only be seen when MOTD is getting a new message. If that script fails for some reason, it seems that MOTD will only not present the message, which is doesn't seem to be a system critical issue. Additionally, we would potentially have tracebacks in the update-notifier logs. Finally, if the logic is also incorrect, we would be displying incorrect ESM messages to the user. But since we are doing this now, as this bug shows, I don't think this is critical as well.
[Discussion]
With ESM Apps going to production soon, we have decided to update the messages delivered by update-notifier apt-check to address the package count of ESM Apps and the possibility of installing more upgrades if the user has ESM Apps disabled.
We are also updating other parts of the messaging as well. First, we only display ESM Infra status
on ESM distros. However, we will keep showing the ESM Infra package count on all of them.
For ESM Apps, we are only performing the alerts (For example, that you might have x packages updates if ESM Apps is installed) if the user is on a LTS distro.
Since we going to perform that change, we decided to also address this bit in the SRU, since it could harm the message we are delivering
[Original Report]
I came across a scenario where the output of `/usr/lib/
ubuntu@
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
456 updates can be installed immediately.
10 of these updates are provided through UA Infrastructure ESM.
378 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Enable UA Infrastructure ESM to receive 127 additional security updates.
See https:/
If you look carefully, you will see that it's contradicting itself by saying esm is enabled and disabled at the same time:
- 10 ESM updates can be installed immediately
- ESM is disabled, and if you enable ESM you will get 127 additional updates
I believe this comes from apt_check.py:253:
# now check for security updates that are masked by a
# canidate version from another repo (-proposed or -updates)
for ver in pkg.version_list:
if (inst_ver and apt_pkg.
if isESMUpgrade(ver):
if isSecurityUpgra
I believe that is ignoring the fact that ESM is disabled. I added a pdb to check which package it was considering as an esm update, and the first response was dbus, which is in this peculiar state in the archive:
ubuntu@
dbus:
Installed: 1.6.18-0ubuntu4.3
Candidate: 1.6.18-0ubuntu4.5
Version table:
1.
-32768 https:/
1.
500 http://
1.
500 http://
*** 1.6.18-0ubuntu4.3 0
100 /var/lib/
1.
500 http://
Maybe we just need to guard that isESMUpgrade(ver) call with "if have_esm and isESMUpgrade(ver)"?
The other place in the code a bit up from the above which also increments esm_updates isn't run in this scenario, so the 10 packages must come from the check I highlighted above.
Other info:
update-notifier 0.154.1ubuntu8 from trusty-updates
ubuntu-
ua is attached, but esm disabled:
ubuntu@
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-infra yes disabled UA Infra: Extended Security Maintenance
fips yes n/a NIST-certified FIPS modules
fips-updates yes n/a Uncertified security updates to FIPS modules
livepatch yes disabled Canonical Livepatch service
Enable services with: ua enable <service>
Account: <email address hidden>
Subscription: <email address hidden>
Related branches
- git-ubuntu import: Pending requested
-
Diff: 29251 lines (+12561/-0) (has conflicts)173 files modified.bzr-builddeb/default.conf (+5/-0)
.bzrignore (+31/-0)
autogen.sh (+17/-0)
config.h.in (+3/-0)
configure.ac (+11/-0)
data/Makefile.am (+11/-0)
data/apt_check.py (+46/-0)
data/backend_helper.py (+6/-0)
data/com.ubuntu.update-notifier.gschema.xml.in (+4/-0)
data/notify-reboot-required (+3/-0)
data/package-data-downloader (+6/-0)
data/update-motd-fsck-at-reboot (+7/-0)
data/update-motd-hwe-eol (+14/-0)
data/update-motd-updates-available (+3/-0)
debian/90-updates-available (+3/-0)
debian/95-hwe-eol (+3/-0)
debian/changelog (+128/-0)
debian/compat (+4/-0)
debian/control (+28/-0)
debian/rules (+7/-0)
debian/systemd/unicast-local-avahi.override (+1/-0)
debian/systemd/unicast-local-avahi.path (+6/-0)
debian/systemd/unicast-local-avahi.service (+6/-0)
debian/systemd/update-notifier-crash.path (+3/-0)
debian/systemd/update-notifier-crash.service (+6/-0)
debian/tests/control (+4/-0)
debian/unicast-local-avahi.conf (+14/-0)
debian/update-notifier-common.cron.daily (+8/-0)
debian/update-notifier-common.cron.weekly (+15/-0)
debian/update-notifier-common.install (+6/-0)
debian/update-notifier-common.postinst (+7/-0)
debian/update-notifier-common.postrm (+8/-0)
debian/update-notifier-common.preinst (+8/-0)
debian/update-notifier-common.triggers (+4/-0)
debian/update-notifier-crash (+3/-0)
debian/update-notifier.install (+21/-0)
debian/update-notifier.links (+4/-0)
pixmaps/scalable/livepatch-on.svg (+1/-0)
pixmaps/scalable/livepatch-warning.svg (+1/-0)
po/POTFILES.in (+10/-0)
po/ace.po (+93/-0)
po/af.po (+103/-0)
po/am.po (+97/-0)
po/an.po (+100/-0)
po/ar.po (+106/-0)
po/ast.po (+102/-0)
po/az.po (+96/-0)
po/be.po (+103/-0)
po/bem.po (+93/-0)
po/bg.po (+102/-0)
po/bn.po (+102/-0)
po/bo.po (+93/-0)
po/br.po (+102/-0)
po/bs.po (+103/-0)
po/ca.po (+103/-0)
po/ca@valencia.po (+103/-0)
po/ckb.po (+96/-0)
po/crh.po (+103/-0)
po/cs.po (+103/-0)
po/csb.po (+104/-0)
po/cv.po (+93/-0)
po/cy.po (+105/-0)
po/da.po (+103/-0)
po/de.po (+103/-0)
po/de_DE.po (+93/-0)
po/dv.po (+93/-0)
po/el.po (+102/-0)
po/en.po (+93/-0)
po/en_AU.po (+103/-0)
po/en_CA.po (+103/-0)
po/en_GB.po (+103/-0)
po/eo.po (+102/-0)
po/es.po (+102/-0)
po/et.po (+102/-0)
po/eu.po (+103/-0)
po/fa.po (+101/-0)
po/fa_AF.po (+93/-0)
po/fi.po (+103/-0)
po/fil.po (+97/-0)
po/fo.po (+102/-0)
po/fr.po (+103/-0)
po/fr_CA.po (+93/-0)
po/fur.po (+98/-0)
po/fy.po (+102/-0)
po/ga.po (+98/-0)
po/gd.po (+105/-0)
po/gl.po (+103/-0)
po/gu.po (+97/-0)
po/he.po (+102/-0)
po/hi.po (+102/-0)
po/hr.po (+104/-0)
po/hu.po (+103/-0)
po/hy.po (+93/-0)
po/id.po (+102/-0)
po/is.po (+102/-0)
po/it.po (+103/-0)
po/ja.po (+101/-0)
po/jv.po (+93/-0)
po/ka.po (+101/-0)
po/kk.po (+101/-0)
po/km.po (+101/-0)
po/kn.po (+93/-0)
po/ko.po (+101/-0)
po/ku.po (+100/-0)
po/ky.po (+93/-0)
po/lo.po (+93/-0)
po/lt.po (+103/-0)
po/lv.po (+103/-0)
po/mhr.po (+93/-0)
po/mi.po (+93/-0)
po/mk.po (+99/-0)
po/ml.po (+97/-0)
po/mn.po (+102/-0)
po/mr.po (+97/-0)
po/ms.po (+103/-0)
po/mt.po (+93/-0)
po/my.po (+96/-0)
po/nb.po (+103/-0)
po/nds.po (+102/-0)
po/ne.po (+97/-0)
po/nl.po (+103/-0)
po/nn.po (+103/-0)
po/oc.po (+103/-0)
po/pa.po (+100/-0)
po/pl.po (+104/-0)
po/ps.po (+93/-0)
po/pt.po (+103/-0)
po/pt_BR.po (+103/-0)
po/pt_PT.po (+93/-0)
po/qu.po (+93/-0)
po/ro.po (+104/-0)
po/ru.po (+103/-0)
po/sco.po (+93/-0)
po/sd.po (+93/-0)
po/se.po (+93/-0)
po/shn.po (+93/-0)
po/si.po (+100/-0)
po/sk.po (+103/-0)
po/sl.po (+105/-0)
po/sq.po (+103/-0)
po/sr.po (+103/-0)
po/st.po (+93/-0)
po/sv.po (+103/-0)
po/ta.po (+97/-0)
po/te.po (+102/-0)
po/tg.po (+103/-0)
po/th.po (+101/-0)
po/tl.po (+99/-0)
po/tr.po (+102/-0)
po/ug.po (+101/-0)
po/uk.po (+103/-0)
po/ur.po (+93/-0)
po/uz.po (+99/-0)
po/vi.po (+101/-0)
po/xh.po (+93/-0)
po/zh_CN.po (+101/-0)
po/zh_HK.po (+101/-0)
po/zh_TW.po (+101/-0)
src/Makefile.am (+23/-0)
src/avahi.c (+47/-0)
src/avahi.h (+3/-0)
src/crash.c (+13/-0)
src/hooks.c (+6/-0)
src/livepatch-tray.c (+16/-0)
src/livepatch-utils.c (+4/-0)
src/livepatch-utils.h (+9/-0)
src/system-crash.c (+8/-0)
src/update-notifier.c (+43/-0)
src/update-notifier.h (+16/-0)
src/update.c (+8/-0)
tests/pyflakes.exclude (+4/-0)
tests/test_motd.py (+88/-0)
tests/test_pep8.py (+39/-0)
- Bryce Harrington (community): Approve
-
Diff: 885 lines (+521/-143)4 files modifieddata/apt_check.py (+186/-83)
debian/changelog (+17/-0)
debian/control (+2/-0)
tests/test_motd.py (+316/-60)
- Bryce Harrington (community): Approve
- Lucas Albuquerque Medeiros de Moura: Pending requested
- Brian Murray: Pending requested
-
Diff: 885 lines (+521/-143)4 files modifieddata/apt_check.py (+186/-83)
debian/changelog (+17/-0)
debian/control (+2/-0)
tests/test_motd.py (+316/-60)
- Bryce Harrington (community): Approve
-
Diff: 910 lines (+535/-147)5 files modifieddata/apt_check.py (+195/-83)
data/backend_helper.py (+1/-0)
debian/changelog (+17/-0)
debian/control (+2/-0)
tests/test_motd.py (+320/-64)
- Bryce Harrington (community): Approve
-
Diff: 897 lines (+533/-146)4 files modifieddata/apt_check.py (+195/-81)
debian/changelog (+15/-0)
debian/control (+2/-0)
tests/test_motd.py (+321/-65)
- Bryce Harrington (community): Approve
-
Diff: 903 lines (+533/-149)4 files modifieddata/apt_check.py (+195/-82)
debian/changelog (+15/-0)
debian/control (+2/-0)
tests/test_motd.py (+321/-67)
Changed in update-notifier (Ubuntu Xenial): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in update-notifier (Ubuntu Xenial): | |
assignee: | nobody → Lucas Albuquerque Medeiros de Moura (lamoura) |
Changed in update-notifier (Ubuntu Xenial): | |
status: | Triaged → In Progress |
Changed in update-notifier (Ubuntu Bionic): | |
assignee: | nobody → Lucas Albuquerque Medeiros de Moura (lamoura) |
Changed in update-notifier (Ubuntu Focal): | |
assignee: | nobody → Lucas Albuquerque Medeiros de Moura (lamoura) |
Changed in update-notifier (Ubuntu Hirsute): | |
assignee: | nobody → Chad Smith (chad.smith) |
Changed in update-notifier (Ubuntu Impish): | |
assignee: | nobody → Chad Smith (chad.smith) |
Changed in update-notifier (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in update-notifier (Ubuntu Focal): | |
status: | New → In Progress |
Changed in update-notifier (Ubuntu Hirsute): | |
status: | New → In Progress |
Changed in update-notifier (Ubuntu Impish): | |
status: | New → In Progress |
Changed in update-notifier (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in update-notifier (Ubuntu Focal): | |
importance: | Undecided → High |
Changed in update-notifier (Ubuntu Hirsute): | |
importance: | Undecided → High |
Changed in update-notifier (Ubuntu Impish): | |
importance: | Undecided → High |
description: | updated |
[Impact]
when users are getting the message update-notifier message through apt-check they may find inconsistent behavior regarding ESM products. This is misleading since we will say to the users that they don't have ESM Infra, but they do have ESM infra packages that can be installed. This is poor marketing of our products
[Test case]
To reproduce the issue, you can:
1. Launch the following old version of a xenial container: f4c4c60a6b752a3 81288ae72a1689a 9da00f8e03b732c 8d1b8a8fcd1a889 0800 dev-x
lxc launch ubuntu:
2. Run apt update and install the updated version of update- notifier- common advantage- tools ppa: /code.launchpad .net/~ua- client/ +archive/ ubuntu/ daily advantage- tools /launchpad. net/~ua- client/ +archive/ ubuntu/ stable/ source. list update- notifier/ apt-check --human-readable
3. Add the ubuntu-
https:/
4. Install ubuntu-
5. Install the latest version of uaclient from the stable ppa:
https:/
6. Comment out all mentions of xenial-security in /etc/apt/
7. Run apt update
8. Run /usr/lib/
9. See a message like this:
UA Infra: Extended Security Maintenance (ESM) is not enabled.
256 packages can be updated.
5 of these updates are fixed through UA Infra: ESM.
5 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Enable UA Infra: ESM to receive 5 additional security updates. /ubuntu. com/security/ esm or run: sudo ua status
See https:/
To verify that the error is fixed:
1.Perform all the stages above until step 8 /launchpad. net/~lamoura/ +archive/ ubuntu/ update- notifier- test-ppa update- notifier/ apt-check --human-readable
2 Install the new update-notifier from this ppa:
https:/
3. Run /usr/lib/
4. See a message like this:
256 updates can be installed immediately.
5 of these updates are security updates.
To see these additional updates run: apt list --upgradable
5. We are now only showing ESM infra specific message if the distro is ESM. To enforce that behavior, make the `is_esm_distro` function in `/usr/lub/ update- notifier/ apt-check` return True, then you will see this message:
UA Infra: Extended Security Maintenance (ESM) is not enabled.
256 updates can be installed immediately.
5 of these updates are security updates.
To see these additional updates run: apt list --upgradable
5 additional security updates can be applied with UA Infra: ESM /ubuntu. com/esm
Learn more about enabling UA Infra: ESM service at https:/
That is now correct.
[Where problems could occur]
The changes in this package should only be seen when MOTD is getting a new message. If that script fails for some reason, it seems that MOTD will only not present the message, which is doesn't seem to be a system critical issue. Additionally, we would potentially have tracebacks in the update-notifier logs. Finally, if the logic is also incorrect, we would be displying incorrect ESM messages to the user. But since we are doing this now, as this bug shows, I don't think this is critical as well.
[Discussion]
With ESM Apps going to production soon, we have decided to update the messages delivered by update-notifier apt-check to address the package count of ESM Apps and the possibility of installing more upgrades if the user has...