I came across a scenario where the output of `/usr/lib/update-notifier/apt-check --human-readable` is showing some (not all) esm updates as being installable when esm itself is disabled:
ubuntu@trusty-desktop:~$ sudo /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
456 updates can be installed immediately.
10 of these updates are provided through UA Infrastructure ESM.
378 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Enable UA Infrastructure ESM to receive 127 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
If you look carefully, you will see that it's contradicting itself by saying esm is enabled and disabled at the same time:
- 10 ESM updates can be installed immediately
- ESM is disabled, and if you enable ESM you will get 127 additional updates
I believe this comes from apt_check.py:253:
# now check for security updates that are masked by a
# canidate version from another repo (-proposed or -updates)
for ver in pkg.version_list:
if (inst_ver and apt_pkg.version_compare(ver.ver_str, inst_ver.ver_str) <= 0): #print("skipping '%s' " % ver.VerStr) continue
if isESMUpgrade(ver): esm_updates += 1
if isSecurityUpgrade(ver): security_updates += 1 break
I believe that is ignoring the fact that ESM is disabled. I added a pdb to check which package it was considering as an esm update, and the first response was dbus, which is in this peculiar state in the archive:
ubuntu@trusty-desktop:~$ apt-cache policy dbus
dbus:
Installed: 1.6.18-0ubuntu4.3
Candidate: 1.6.18-0ubuntu4.5
Version table:
1.6.18-0ubuntu4.5+esm1 0
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
1.6.18-0ubuntu4.5 0
500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
1.6.18-0ubuntu4.4 0
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
*** 1.6.18-0ubuntu4.3 0
100 /var/lib/dpkg/status
1.6.18-0ubuntu4 0
500 http://br.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
Maybe we just need to guard that isESMUpgrade(ver) call with "if have_esm and isESMUpgrade(ver)"?
The other place in the code a bit up from the above which also increments esm_updates isn't run in this scenario, so the 10 packages must come from the check I highlighted above.
Other info:
update-notifier 0.154.1ubuntu8 from trusty-updates
ubuntu-advantage-tools 19.6~ubuntu14.04.4 from trusty-updates
ua is attached, but esm disabled:
ubuntu@trusty-desktop:~$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-infra yes disabled UA Infra: Extended Security Maintenance
fips yes n/a NIST-certified FIPS modules
fips-updates yes n/a Uncertified security updates to FIPS modules
livepatch yes disabled Canonical Livepatch service
I came across a scenario where the output of `/usr/lib/ update- notifier/ apt-check --human-readable` is showing some (not all) esm updates as being installable when esm itself is disabled:
ubuntu@ trusty- desktop: ~$ sudo /usr/lib/ update- notifier/ apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
456 updates can be installed immediately.
10 of these updates are provided through UA Infrastructure ESM.
378 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Enable UA Infrastructure ESM to receive 127 additional security updates. /ubuntu. com/advantage or run: sudo ua status
See https:/
If you look carefully, you will see that it's contradicting itself by saying esm is enabled and disabled at the same time:
- 10 ESM updates can be installed immediately
- ESM is disabled, and if you enable ESM you will get 127 additional updates
I believe this comes from apt_check.py:253:
# now check for security updates that are masked by a version_ compare( ver.ver_ str, inst_ver.ver_str) <= 0):
# print(" skipping '%s' " % ver.VerStr)
continue
esm_ updates += 1 de(ver) :
security_ updates += 1
break
# canidate version from another repo (-proposed or -updates)
for ver in pkg.version_list:
if (inst_ver and apt_pkg.
if isESMUpgrade(ver):
if isSecurityUpgra
I believe that is ignoring the fact that ESM is disabled. I added a pdb to check which package it was considering as an esm update, and the first response was dbus, which is in this peculiar state in the archive: trusty- desktop: ~$ apt-cache policy dbus 6.18-0ubuntu4. 5+esm1 0 /esm.ubuntu. com/ubuntu/ trusty- infra-security/ main amd64 Packages 6.18-0ubuntu4. 5 0 br.archive. ubuntu. com/ubuntu/ trusty-updates/main amd64 Packages 6.18-0ubuntu4. 4 0 security. ubuntu. com/ubuntu/ trusty- security/ main amd64 Packages dpkg/status 6.18-0ubuntu4 0 br.archive. ubuntu. com/ubuntu/ trusty/main amd64 Packages
ubuntu@
dbus:
Installed: 1.6.18-0ubuntu4.3
Candidate: 1.6.18-0ubuntu4.5
Version table:
1.
-32768 https:/
1.
500 http://
1.
500 http://
*** 1.6.18-0ubuntu4.3 0
100 /var/lib/
1.
500 http://
Maybe we just need to guard that isESMUpgrade(ver) call with "if have_esm and isESMUpgrade(ver)"?
The other place in the code a bit up from the above which also increments esm_updates isn't run in this scenario, so the 10 packages must come from the check I highlighted above.
Other info: advantage- tools 19.6~ubuntu14.04.4 from trusty-updates trusty- desktop: ~$ ua status
update-notifier 0.154.1ubuntu8 from trusty-updates
ubuntu-
ua is attached, but esm disabled:
ubuntu@
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-infra yes disabled UA Infra: Extended Security Maintenance
fips yes n/a NIST-certified FIPS modules
fips-updates yes n/a Uncertified security updates to FIPS modules
livepatch yes disabled Canonical Livepatch service
Enable services with: ua enable <service>
Account: <email address hidden>
Subscription: <email address hidden>