Ubuntu
update-notifier package

  1. Bug #1883315
  2. Comment #0

Comment 0 for bug 1883315

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I came across a scenario where the output of `/usr/lib/update-notifier/apt-check --human-readable` is showing some (not all) esm updates as being installable when esm itself is disabled:

ubuntu@trusty-desktop:~$ sudo /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.

456 updates can be installed immediately.
10 of these updates are provided through UA Infrastructure ESM.
378 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Enable UA Infrastructure ESM to receive 127 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status

If you look carefully, you will see that it's contradicting itself by saying esm is enabled and disabled at the same time:
- 10 ESM updates can be installed immediately
- ESM is disabled, and if you enable ESM you will get 127 additional updates

I believe this comes from apt_check.py:253:

            # now check for security updates that are masked by a
            # canidate version from another repo (-proposed or -updates)
            for ver in pkg.version_list:
                if (inst_ver and apt_pkg.version_compare(ver.ver_str, inst_ver.ver_str) <= 0):
                    #print("skipping '%s' " % ver.VerStr)
                    continue
                if isESMUpgrade(ver):
                    esm_updates += 1
                if isSecurityUpgrade(ver):
                    security_updates += 1
                    break

I believe that is ignoring the fact that ESM is disabled. I added a pdb to check which package it was considering as an esm update, and the first response was dbus, which is in this peculiar state in the archive:
ubuntu@trusty-desktop:~$ apt-cache policy dbus
dbus:
  Installed: 1.6.18-0ubuntu4.3
  Candidate: 1.6.18-0ubuntu4.5
  Version table:
     1.6.18-0ubuntu4.5+esm1 0
       -32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
     1.6.18-0ubuntu4.5 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     1.6.18-0ubuntu4.4 0
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
 *** 1.6.18-0ubuntu4.3 0
        100 /var/lib/dpkg/status
     1.6.18-0ubuntu4 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Maybe we just need to guard that isESMUpgrade(ver) call with "if have_esm and isESMUpgrade(ver)"?

The other place in the code a bit up from the above which also increments esm_updates isn't run in this scenario, so the 10 packages must come from the check I highlighted above.

Other info:
update-notifier 0.154.1ubuntu8 from trusty-updates
ubuntu-advantage-tools 19.6~ubuntu14.04.4 from trusty-updates
ua is attached, but esm disabled:
ubuntu@trusty-desktop:~$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-infra yes disabled UA Infra: Extended Security Maintenance
fips yes n/a NIST-certified FIPS modules
fips-updates yes n/a Uncertified security updates to FIPS modules
livepatch yes disabled Canonical Livepatch service

Enable services with: ua enable <service>

     Account: <email address hidden>
Subscription: <email address hidden>