2020-06-01 17:52:22 |
Chad Smith |
bug |
|
|
added bug |
2020-06-01 17:58:06 |
Chad Smith |
attachment added |
|
apt-update-notifier-esm-security-pockets.patch https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1881632/+attachment/5379411/+files/apt-update-notifier-esm-security-pockets.patch |
|
2020-06-01 18:20:20 |
Chad Smith |
information type |
Public |
Private Security |
|
2020-06-01 18:26:51 |
Chad Smith |
information type |
Private Security |
Public Security |
|
2020-06-01 20:23:07 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2020-06-02 13:18:43 |
Launchpad Janitor |
update-notifier (Ubuntu): status |
New |
Confirmed |
|
2020-06-02 19:32:51 |
Dimitri John Ledkov |
tags |
patch |
patch rls-gg-incoming |
|
2020-06-05 21:56:20 |
Mark Cunningham |
bug |
|
|
added subscriber Mark Cunningham |
2020-06-09 17:17:20 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
2020-06-09 20:28:33 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/update-notifier/+git/update-notifier/+merge/385425 |
|
2020-06-12 19:14:15 |
Andreas Hasenack |
update-notifier (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
2020-06-12 19:14:18 |
Andreas Hasenack |
update-notifier (Ubuntu): status |
Confirmed |
In Progress |
|
2020-06-13 01:24:53 |
Launchpad Janitor |
update-notifier (Ubuntu): status |
In Progress |
Fix Released |
|
2020-06-22 17:50:49 |
Andreas Hasenack |
description |
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty lxd. For example:
lxc launch ubuntu-daily:trusty trusty
* Update it to the latest publicly available updates:
sudo apt update && sudo apt dist-upgrade -y
* Make sure you have the latest ubuntu-advantage-tools:
sudo apt install ubuntu-advantage-tools
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
|
2020-06-22 17:58:25 |
Andreas Hasenack |
description |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty lxd. For example:
lxc launch ubuntu-daily:trusty trusty
* Update it to the latest publicly available updates:
sudo apt update && sudo apt dist-upgrade -y
* Make sure you have the latest ubuntu-advantage-tools:
sudo apt install ubuntu-advantage-tools
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty lxd. For example:
lxc launch ubuntu-daily:trusty trusty
* Update it to the latest publicly available updates:
sudo apt update && sudo apt dist-upgrade -y
* Make sure you have the latest ubuntu-advantage-tools:
sudo apt install ubuntu-advantage-tools
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
[Regression Potential]
The fix is replacing the old incorrect name of the ESM security pocket, so it is already not working. It's also adding a new source of security updates though, UbuntuESMApps, but it doesn't exist for Trusty at the moment, so shouldn't be harmful.
The check for file origin was done comparing to a string, now it's checking for the contents of a tuple, something very common in python.
If there are regressions here, like these changes introducing a backtrace, the impact is that the MOTD message about available updates would not display, or be incorrect.
[Other Info]
There is no test case for the UbuntuESMApps addition, because it's not available for trusty at the moment. One could argue then that it shouldn't be part of the SRU, and that's true. I'll leave it to the SRU team to balance pros and cons, i.e., risk of an unnecessary regression for a feature that doesn't exist.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
|
2020-06-22 18:02:24 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/update-notifier/+git/update-notifier/+merge/386205 |
|
2020-06-22 18:47:12 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Trusty |
|
2020-06-22 18:47:12 |
Andreas Hasenack |
bug task added |
|
update-notifier (Ubuntu Trusty) |
|
2020-06-22 18:47:25 |
Andreas Hasenack |
update-notifier (Ubuntu Trusty): status |
New |
In Progress |
|
2020-06-22 18:47:28 |
Andreas Hasenack |
update-notifier (Ubuntu Trusty): assignee |
|
Andreas Hasenack (ahasenack) |
|
2020-06-23 20:08:13 |
Andreas Hasenack |
description |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty lxd. For example:
lxc launch ubuntu-daily:trusty trusty
* Update it to the latest publicly available updates:
sudo apt update && sudo apt dist-upgrade -y
* Make sure you have the latest ubuntu-advantage-tools:
sudo apt install ubuntu-advantage-tools
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
[Regression Potential]
The fix is replacing the old incorrect name of the ESM security pocket, so it is already not working. It's also adding a new source of security updates though, UbuntuESMApps, but it doesn't exist for Trusty at the moment, so shouldn't be harmful.
The check for file origin was done comparing to a string, now it's checking for the contents of a tuple, something very common in python.
If there are regressions here, like these changes introducing a backtrace, the impact is that the MOTD message about available updates would not display, or be incorrect.
[Other Info]
There is no test case for the UbuntuESMApps addition, because it's not available for trusty at the moment. One could argue then that it shouldn't be part of the SRU, and that's true. I'll leave it to the SRU team to balance pros and cons, i.e., risk of an unnecessary regression for a feature that doesn't exist.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty lxd. For example:
lxc launch ubuntu-daily:trusty trusty
* Update it to the latest publicly available updates:
sudo apt update && sudo apt dist-upgrade -y
* Make sure you have the latest ubuntu-advantage-tools:
sudo apt install ubuntu-advantage-tools
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
|
2020-06-23 20:11:33 |
Andreas Hasenack |
description |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty lxd. For example:
lxc launch ubuntu-daily:trusty trusty
* Update it to the latest publicly available updates:
sudo apt update && sudo apt dist-upgrade -y
* Make sure you have the latest ubuntu-advantage-tools:
sudo apt install ubuntu-advantage-tools
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty lxd. For example:
lxc launch ubuntu-daily:trusty trusty
* Update it to the latest publicly available updates:
sudo apt update && sudo apt dist-upgrade -y
* Make sure you have the latest ubuntu-advantage-tools:
sudo apt install ubuntu-advantage-tools
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
|
2020-06-23 20:52:34 |
Andreas Hasenack |
description |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty lxd. For example:
lxc launch ubuntu-daily:trusty trusty
* Update it to the latest publicly available updates:
sudo apt update && sudo apt dist-upgrade -y
* Make sure you have the latest ubuntu-advantage-tools:
sudo apt install ubuntu-advantage-tools
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty lxd. For example:
lxc launch ubuntu-daily:trusty trusty
* Update it to the latest publicly available updates:
sudo apt update && sudo apt dist-upgrade -y
* Make sure you have the latest ubuntu-advantage-tools:
sudo apt install ubuntu-advantage-tools
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
Finally, this update is for trusty only. Xenial doesn't have ESM yet, and updating update-notifier there would be an useless download for users, with a regression risk for no benefit.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
|
2020-08-06 11:48:26 |
Andreas Hasenack |
update-notifier (Ubuntu Trusty): status |
In Progress |
Fix Released |
|
2020-10-05 20:18:25 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~chad.smith/ubuntu/+source/update-notifier/+git/update-notifier/+merge/391841 |
|
2020-10-05 20:20:19 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~chad.smith/ubuntu/+source/update-notifier/+git/update-notifier/+merge/391843 |
|
2020-10-05 20:24:55 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~chad.smith/ubuntu/+source/update-notifier/+git/update-notifier/+merge/391846 |
|
2020-10-12 16:47:47 |
Chad Smith |
description |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty lxd. For example:
lxc launch ubuntu-daily:trusty trusty
* Update it to the latest publicly available updates:
sudo apt update && sudo apt dist-upgrade -y
* Make sure you have the latest ubuntu-advantage-tools:
sudo apt install ubuntu-advantage-tools
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
Finally, this update is for trusty only. Xenial doesn't have ESM yet, and updating update-notifier there would be an useless download for users, with a regression risk for no benefit.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty/xenial/bionic/focal lxd from ua-client/proposed PPA.
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
Test Script:
#!/bin/bash
#
# SRU Verification update-notifier + ubuntu=advantage-tools
# Test procedure:
# - launch container Trusty, Xenial or Bionic
# - Install ubuntu-advantage-tools from https://launchpad.net/~ua-client/+archive/ubuntu/proposed which supports esm on trusty, xenial, bionic, and focal
# - Attach container to UA subscription (which activates the ESM APT repos
# - run apt_check --human-readable to assert ESM pkg counts ARE NOT reported
# - Upgrade update-notifier to -proposed
# - re-run apt_check --human-readable to assert ESM pkg counts ARE reported
set -e
UA_TOKEN=$1
if [ -z "$1" ]; then
echo "Usage: $0 <contractTOKEN>"
exit 1
fi
# sources:
# ua.proposed:
# source: deb http://ppa.launchpad.net/canonical-server/ua-client-daily/ubuntu \$RELEASE main
# keyid: 94E187AD53A59D1847E4880F8A295C4FB8B190B7
cat > test-uru.yaml <<EOF
#cloud-config
ssh_import_id: [chad.smith]
package_update: true
package_upgrade: true
apt:
sources:
ua.proposed: deb http://ppa.launchpad.net/ua-client/proposed/ubuntu \$RELEASE main
keyid: 6E34E7116C0BC933
EOF
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy update-notifier
EOF
wait_for_boot() {
local vm=$1 release=$2
echo "--- Wait for cloud-init to finish"
sleep 5
lxc exec ${vm} -- cloud-init status --wait --long
}
for release in xenial bionic focal; do
echo "--- BEGIN $release update-notifier testing"
vm=test-sru-$release
echo "--- Launch cloud-init with ppa:ua-client/proposed enabled"
lxc launch ubuntu-daily:${release} ${vm} -c user.user-data="$(cat test-un.yaml)"
wait_for_boot ${vm} ${release}
echo "--- Attach Ubuntu-Advantage, enabling services"
lxc exec ${vm} -- ua attach ${UA_TOKEN}
echo "--- Check Original MOTD output from apt_check before upgrade"
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable
echo "--- Upgrade update-notifier from -proposed"
lxc file push setup_proposed.sh ${vm}/
lxc exec ${vm} -- bash /setup-proposed.sh | grep update-notifier
echo "--- Check upadate-notifier(-proposed) MOTD output from apt_check after upgrade"
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable
done
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
Finally, this update is for trusty only. Xenial doesn't have ESM yet, and updating update-notifier there would be an useless download for users, with a regression risk for no benefit.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
|
2020-10-16 03:46:12 |
Chris Halse Rogers |
update-notifier (Ubuntu Xenial): status |
New |
Fix Committed |
|
2020-10-16 03:46:14 |
Chris Halse Rogers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-10-16 03:46:16 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
2020-10-16 03:46:22 |
Chris Halse Rogers |
tags |
patch rls-gg-incoming |
patch rls-gg-incoming verification-needed verification-needed-xenial |
|
2020-10-16 04:28:46 |
Chris Halse Rogers |
update-notifier (Ubuntu Bionic): status |
New |
Fix Committed |
|
2020-10-16 04:28:54 |
Chris Halse Rogers |
tags |
patch rls-gg-incoming verification-needed verification-needed-xenial |
patch rls-gg-incoming verification-needed verification-needed-bionic verification-needed-xenial |
|
2020-10-16 04:31:55 |
Chris Halse Rogers |
update-notifier (Ubuntu Focal): status |
New |
Fix Committed |
|
2020-10-16 04:32:03 |
Chris Halse Rogers |
tags |
patch rls-gg-incoming verification-needed verification-needed-bionic verification-needed-xenial |
patch rls-gg-incoming verification-needed verification-needed-bionic verification-needed-focal verification-needed-xenial |
|
2020-10-19 19:45:35 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~chad.smith/ubuntu/+source/update-notifier/+git/update-notifier/+merge/392487 |
|
2020-11-30 20:22:00 |
Chad Smith |
description |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty/xenial/bionic/focal lxd from ua-client/proposed PPA.
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
Test Script:
#!/bin/bash
#
# SRU Verification update-notifier + ubuntu=advantage-tools
# Test procedure:
# - launch container Trusty, Xenial or Bionic
# - Install ubuntu-advantage-tools from https://launchpad.net/~ua-client/+archive/ubuntu/proposed which supports esm on trusty, xenial, bionic, and focal
# - Attach container to UA subscription (which activates the ESM APT repos
# - run apt_check --human-readable to assert ESM pkg counts ARE NOT reported
# - Upgrade update-notifier to -proposed
# - re-run apt_check --human-readable to assert ESM pkg counts ARE reported
set -e
UA_TOKEN=$1
if [ -z "$1" ]; then
echo "Usage: $0 <contractTOKEN>"
exit 1
fi
# sources:
# ua.proposed:
# source: deb http://ppa.launchpad.net/canonical-server/ua-client-daily/ubuntu \$RELEASE main
# keyid: 94E187AD53A59D1847E4880F8A295C4FB8B190B7
cat > test-uru.yaml <<EOF
#cloud-config
ssh_import_id: [chad.smith]
package_update: true
package_upgrade: true
apt:
sources:
ua.proposed: deb http://ppa.launchpad.net/ua-client/proposed/ubuntu \$RELEASE main
keyid: 6E34E7116C0BC933
EOF
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy update-notifier
EOF
wait_for_boot() {
local vm=$1 release=$2
echo "--- Wait for cloud-init to finish"
sleep 5
lxc exec ${vm} -- cloud-init status --wait --long
}
for release in xenial bionic focal; do
echo "--- BEGIN $release update-notifier testing"
vm=test-sru-$release
echo "--- Launch cloud-init with ppa:ua-client/proposed enabled"
lxc launch ubuntu-daily:${release} ${vm} -c user.user-data="$(cat test-un.yaml)"
wait_for_boot ${vm} ${release}
echo "--- Attach Ubuntu-Advantage, enabling services"
lxc exec ${vm} -- ua attach ${UA_TOKEN}
echo "--- Check Original MOTD output from apt_check before upgrade"
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable
echo "--- Upgrade update-notifier from -proposed"
lxc file push setup_proposed.sh ${vm}/
lxc exec ${vm} -- bash /setup-proposed.sh | grep update-notifier
echo "--- Check upadate-notifier(-proposed) MOTD output from apt_check after upgrade"
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable
done
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
Finally, this update is for trusty only. Xenial doesn't have ESM yet, and updating update-notifier there would be an useless download for users, with a regression risk for no benefit.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty/xenial/bionic/focal lxd from ua-client/proposed PPA.
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
Test Script:
#!/bin/bash
#
# SRU Verification update-notifier + ubuntu=advantage-tools
# Test procedure:
# - launch container Trusty, Xenial or Bionic
# - Install ubuntu-advantage-tools from https://launchpad.net/~ua-client/+archive/ubuntu/proposed which supports esm on trusty, xenial, bionic, and focal
# - Attach container to UA subscription (which activates the ESM APT repos
# - run apt_check --human-readable to assert ESM pkg counts ARE NOT reported
# - Upgrade update-notifier to -proposed
# - re-run apt_check --human-readable to assert ESM pkg counts ARE reported
set -e
UA_TOKEN=$1
if [ -z "$1" ]; then
echo "Usage: $0 <contractTOKEN>"
exit 1
fi
# sources:
# ua.proposed:
# source: deb http://ppa.launchpad.net/canonical-server/ua-client-daily/ubuntu \$RELEASE main
# keyid: 94E187AD53A59D1847E4880F8A295C4FB8B190B7
cat > test-un.yaml <<EOF
#cloud-config
ssh_import_id: [chad.smith]
package_update: true
package_upgrade: true
apt:
sources:
ua.proposed:
source: deb http://ppa.launchpad.net/ua-client/staging/ubuntu \$RELEASE main
keyid: 6E34E7116C0BC933
EOF
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy update-notifier-common
EOF
wait_for_boot() {
local vm=$1 release=$2
echo "--- Wait for cloud-init to finish"
sleep 5
lxc exec ${vm} -- cloud-init status --wait --long
}
for release in focal; do
echo "--- BEGIN $release update-notifier testing"
vm=test-sru-$release
echo "--- Launch cloud-init with ppa:ua-client/proposed enabled"
lxc launch ubuntu-daily:${release} ${vm} -c user.user-data="$(cat test-un.yaml)"
wait_for_boot ${vm} ${release}
echo "--- Attach Ubuntu-Advantage, enabling services"
lxc exec ${vm} -- ua attach ${UA_TOKEN}
echo "--- Install a downgraded hello package which ESM-focal delivers"
lxc exec ${vm} -- apt-get install hello=2.10-2ubuntu2
echo "--- Expect 0 upgradable packages for MOTD from apt_check before upgrade"
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable | grep '0 of these updates are security updates' && echo "SUCCESS: found 0 ESM security updates pre-upgrade" || echo "FAILURE: did not find expected 0 ESM security updates"
echo "--- Upgrade update-notifier from -proposed"
lxc file push setup_proposed.sh ${vm}/
lxc exec ${vm} -- bash /setup_proposed.sh | grep update-notifier
echo "--- Expect non-zero upgradable packages for MOTD from apt_check AFTER upgrade"
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable | grep '1 of these updates is a security update' && echo "SUCCESS: found 1 ESM security updates pre-upgrade" || echo "FAILURE: did not find expected 1 ESM security updates"
done
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
Finally, this update is for trusty only. Xenial doesn't have ESM yet, and updating update-notifier there would be an useless download for users, with a regression risk for no benefit.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
|
2020-11-30 20:23:21 |
Chad Smith |
tags |
patch rls-gg-incoming verification-needed verification-needed-bionic verification-needed-focal verification-needed-xenial |
patch rls-gg-incoming verification-done-focal verification-needed verification-needed-bionic verification-needed-xenial |
|
2020-11-30 20:42:25 |
Chad Smith |
tags |
patch rls-gg-incoming verification-done-focal verification-needed verification-needed-bionic verification-needed-xenial |
patch rls-gg-incoming verification-failed verification-failed-bionic verification-failed-focal verification-failed-xenial |
|
2020-12-04 17:34:36 |
Timo Aaltonen |
tags |
patch rls-gg-incoming verification-failed verification-failed-bionic verification-failed-focal verification-failed-xenial |
patch rls-gg-incoming verification-failed-bionic verification-failed-xenial verification-needed verification-needed-focal |
|
2020-12-04 17:44:29 |
Timo Aaltonen |
tags |
patch rls-gg-incoming verification-failed-bionic verification-failed-xenial verification-needed verification-needed-focal |
patch rls-gg-incoming verification-failed-xenial verification-needed verification-needed-bionic verification-needed-focal |
|
2020-12-04 17:55:56 |
Timo Aaltonen |
tags |
patch rls-gg-incoming verification-failed-xenial verification-needed verification-needed-bionic verification-needed-focal |
patch rls-gg-incoming verification-needed verification-needed-bionic verification-needed-focal verification-needed-xenial |
|
2020-12-11 05:50:43 |
Mathew Hodson |
update-notifier (Ubuntu Focal): status |
Fix Committed |
Triaged |
|
2020-12-11 05:51:11 |
Mathew Hodson |
tags |
patch rls-gg-incoming verification-needed verification-needed-bionic verification-needed-focal verification-needed-xenial |
patch rls-gg-incoming verification-needed-bionic verification-needed-xenial |
|
2020-12-19 04:53:13 |
Chad Smith |
description |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty/xenial/bionic/focal lxd from ua-client/proposed PPA.
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
Test Script:
#!/bin/bash
#
# SRU Verification update-notifier + ubuntu=advantage-tools
# Test procedure:
# - launch container Trusty, Xenial or Bionic
# - Install ubuntu-advantage-tools from https://launchpad.net/~ua-client/+archive/ubuntu/proposed which supports esm on trusty, xenial, bionic, and focal
# - Attach container to UA subscription (which activates the ESM APT repos
# - run apt_check --human-readable to assert ESM pkg counts ARE NOT reported
# - Upgrade update-notifier to -proposed
# - re-run apt_check --human-readable to assert ESM pkg counts ARE reported
set -e
UA_TOKEN=$1
if [ -z "$1" ]; then
echo "Usage: $0 <contractTOKEN>"
exit 1
fi
# sources:
# ua.proposed:
# source: deb http://ppa.launchpad.net/canonical-server/ua-client-daily/ubuntu \$RELEASE main
# keyid: 94E187AD53A59D1847E4880F8A295C4FB8B190B7
cat > test-un.yaml <<EOF
#cloud-config
ssh_import_id: [chad.smith]
package_update: true
package_upgrade: true
apt:
sources:
ua.proposed:
source: deb http://ppa.launchpad.net/ua-client/staging/ubuntu \$RELEASE main
keyid: 6E34E7116C0BC933
EOF
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy update-notifier-common
EOF
wait_for_boot() {
local vm=$1 release=$2
echo "--- Wait for cloud-init to finish"
sleep 5
lxc exec ${vm} -- cloud-init status --wait --long
}
for release in focal; do
echo "--- BEGIN $release update-notifier testing"
vm=test-sru-$release
echo "--- Launch cloud-init with ppa:ua-client/proposed enabled"
lxc launch ubuntu-daily:${release} ${vm} -c user.user-data="$(cat test-un.yaml)"
wait_for_boot ${vm} ${release}
echo "--- Attach Ubuntu-Advantage, enabling services"
lxc exec ${vm} -- ua attach ${UA_TOKEN}
echo "--- Install a downgraded hello package which ESM-focal delivers"
lxc exec ${vm} -- apt-get install hello=2.10-2ubuntu2
echo "--- Expect 0 upgradable packages for MOTD from apt_check before upgrade"
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable | grep '0 of these updates are security updates' && echo "SUCCESS: found 0 ESM security updates pre-upgrade" || echo "FAILURE: did not find expected 0 ESM security updates"
echo "--- Upgrade update-notifier from -proposed"
lxc file push setup_proposed.sh ${vm}/
lxc exec ${vm} -- bash /setup_proposed.sh | grep update-notifier
echo "--- Expect non-zero upgradable packages for MOTD from apt_check AFTER upgrade"
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable | grep '1 of these updates is a security update' && echo "SUCCESS: found 1 ESM security updates pre-upgrade" || echo "FAILURE: did not find expected 1 ESM security updates"
done
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
Finally, this update is for trusty only. Xenial doesn't have ESM yet, and updating update-notifier there would be an useless download for users, with a regression risk for no benefit.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty/xenial/bionic/focal lxd from ua-client/proposed PPA.
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
Test Script:
#!/bin/bash
#
# SRU Verification update-notifier + ubuntu=advantage-tools
# Test procedure:
# - launch container Trusty, Xenial or Bionic
# - Install ubuntu-advantage-tools from https://launchpad.net/~ua-client/+archive/ubuntu/proposed which supports esm on trusty, xenial, bionic, and focal
# - Attach container to UA subscription (which activates the ESM APT repos
# - run apt_check --human-readable to assert ESM pkg counts ARE NOT reported
# - Upgrade update-notifier to -proposed
# - re-run apt_check --human-readable to assert ESM pkg counts ARE reported
set -e
UA_TOKEN=$1
if [ -z "$1" ]; then
echo "Usage: $0 <contractTOKEN>"
exit 1
fi
cat > test-un.yaml <<EOF
#cloud-config
ssh_import_id: [chad.smith]
package_update: true
package_upgrade: true
apt:
sources:
ua.proposed:
source: deb http://ppa.launchpad.net/ua-client/staging/ubuntu \$RELEASE main
keyid: 6E34E7116C0BC933
EOF
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy update-notifier-common
EOF
wait_for_boot() {
local vm=$1 release=$2
echo "--- Wait for cloud-init to finish"
sleep 5
lxc exec ${vm} -- cloud-init status --wait --long
}
for release in bionic; do
echo "--- BEGIN $release update-notifier testing"
vm=test-sru-$release
echo "--- Launch cloud-init with ppa:ua-client/proposed enabled"
lxc launch ubuntu-daily:${release} ${vm} -c user.user-data="$(cat test-un.yaml)"
wait_for_boot ${vm} ${release}
echo "--- Attach Ubuntu-Advantage, enabling services"
lxc exec ${vm} -- ua attach ${UA_TOKEN}
case "$release" in
xenial)
UPGRADE_MATCH="0 updates are security updates";
downrev_pkg="libkrad0=1.13.2+dfsg-5";;
bionic)
UPGRADE_MATCH="1 update is a security update"
downrev_pkg="libkrad0=1.16-2build1";;
focal)
UPGRADE_MATCH="0 updates are security updates"
downrev_pkg="hello=2.10-2ubuntu2";;
groovy)
UPGRADE_MATCH="1 of these updates is a security update"
downrev_pkg="apport-retrace=2.20.11-0ubuntu50";;
esac
echo "-- Downgrading package to stable ubuntu release $downrev_pkg"
lxc exec ${vm} -- apt-get install $downrev_pkg --yes -q
lxc exec ${vm} -- dpkg-query --show update-notifier
MOTD=`lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable`
echo ${MOTD}
POST_UPGRADE_MSG="UA Infra: Extended Security Maintenance (ESM) is enabled"
echo $MOTD | grep -q "${POST_UPGRADE_MSG}" && echo "FAILURE: found ${POST_UPGRADE_MSG}" || echo "SUCCESS: did not find ${POST_UPGRADE_MSG=}"
echo $MOTD | grep -q "${UPGRADE_MATCH}" && echo "SUCCESS: found ${UPGRADE_MATCH} security updates pre-upgrade" || echo "FAILURE: did not find expected ${UPGRADE_MATCH} ESM security updates"
echo "--- Upgrade update-notifier from -proposed"
lxc file push setup_proposed.sh ${vm}/
lxc exec ${vm} -- bash /setup_proposed.sh | grep update-notifier
lxc exec ${vm} -- dpkg-query --show update-notifier
MOTD=`lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable`
echo $MOTD | grep -q "${POST_UPGRADE_MSG}" && echo "SUCCESS: found ${POST_UPGRADE_MSG}" || echo "FAILURE: did not find ${POST_UPGRADE_MSG=}"
echo "--- Expect non-zero upgradable packages for MOTD from apt_check AFTER upgrade"
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable | grep '1 of these updates is a security update' && echo "SUCCESS: found 1 ESM security updates pre-upgrade" || echo "FAILURE: did not find expected 1 ESM security updates"
done
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
Finally, this update is for trusty only. Xenial doesn't have ESM yet, and updating update-notifier there would be an useless download for users, with a regression risk for no benefit.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
|
2020-12-19 04:53:29 |
Chad Smith |
tags |
patch rls-gg-incoming verification-needed-bionic verification-needed-xenial |
patch rls-gg-incoming verification-done-bionic verification-needed-xenial |
|
2020-12-21 14:15:16 |
Timo Aaltonen |
tags |
patch rls-gg-incoming verification-done-bionic verification-needed-xenial |
patch rls-gg-incoming verification-done-bionic verification-needed verification-needed-xenial |
|
2020-12-27 21:50:14 |
Chad Smith |
description |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty/xenial/bionic/focal lxd from ua-client/proposed PPA.
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
Test Script:
#!/bin/bash
#
# SRU Verification update-notifier + ubuntu=advantage-tools
# Test procedure:
# - launch container Trusty, Xenial or Bionic
# - Install ubuntu-advantage-tools from https://launchpad.net/~ua-client/+archive/ubuntu/proposed which supports esm on trusty, xenial, bionic, and focal
# - Attach container to UA subscription (which activates the ESM APT repos
# - run apt_check --human-readable to assert ESM pkg counts ARE NOT reported
# - Upgrade update-notifier to -proposed
# - re-run apt_check --human-readable to assert ESM pkg counts ARE reported
set -e
UA_TOKEN=$1
if [ -z "$1" ]; then
echo "Usage: $0 <contractTOKEN>"
exit 1
fi
cat > test-un.yaml <<EOF
#cloud-config
ssh_import_id: [chad.smith]
package_update: true
package_upgrade: true
apt:
sources:
ua.proposed:
source: deb http://ppa.launchpad.net/ua-client/staging/ubuntu \$RELEASE main
keyid: 6E34E7116C0BC933
EOF
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy update-notifier-common
EOF
wait_for_boot() {
local vm=$1 release=$2
echo "--- Wait for cloud-init to finish"
sleep 5
lxc exec ${vm} -- cloud-init status --wait --long
}
for release in bionic; do
echo "--- BEGIN $release update-notifier testing"
vm=test-sru-$release
echo "--- Launch cloud-init with ppa:ua-client/proposed enabled"
lxc launch ubuntu-daily:${release} ${vm} -c user.user-data="$(cat test-un.yaml)"
wait_for_boot ${vm} ${release}
echo "--- Attach Ubuntu-Advantage, enabling services"
lxc exec ${vm} -- ua attach ${UA_TOKEN}
case "$release" in
xenial)
UPGRADE_MATCH="0 updates are security updates";
downrev_pkg="libkrad0=1.13.2+dfsg-5";;
bionic)
UPGRADE_MATCH="1 update is a security update"
downrev_pkg="libkrad0=1.16-2build1";;
focal)
UPGRADE_MATCH="0 updates are security updates"
downrev_pkg="hello=2.10-2ubuntu2";;
groovy)
UPGRADE_MATCH="1 of these updates is a security update"
downrev_pkg="apport-retrace=2.20.11-0ubuntu50";;
esac
echo "-- Downgrading package to stable ubuntu release $downrev_pkg"
lxc exec ${vm} -- apt-get install $downrev_pkg --yes -q
lxc exec ${vm} -- dpkg-query --show update-notifier
MOTD=`lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable`
echo ${MOTD}
POST_UPGRADE_MSG="UA Infra: Extended Security Maintenance (ESM) is enabled"
echo $MOTD | grep -q "${POST_UPGRADE_MSG}" && echo "FAILURE: found ${POST_UPGRADE_MSG}" || echo "SUCCESS: did not find ${POST_UPGRADE_MSG=}"
echo $MOTD | grep -q "${UPGRADE_MATCH}" && echo "SUCCESS: found ${UPGRADE_MATCH} security updates pre-upgrade" || echo "FAILURE: did not find expected ${UPGRADE_MATCH} ESM security updates"
echo "--- Upgrade update-notifier from -proposed"
lxc file push setup_proposed.sh ${vm}/
lxc exec ${vm} -- bash /setup_proposed.sh | grep update-notifier
lxc exec ${vm} -- dpkg-query --show update-notifier
MOTD=`lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable`
echo $MOTD | grep -q "${POST_UPGRADE_MSG}" && echo "SUCCESS: found ${POST_UPGRADE_MSG}" || echo "FAILURE: did not find ${POST_UPGRADE_MSG=}"
echo "--- Expect non-zero upgradable packages for MOTD from apt_check AFTER upgrade"
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable | grep '1 of these updates is a security update' && echo "SUCCESS: found 1 ESM security updates pre-upgrade" || echo "FAILURE: did not find expected 1 ESM security updates"
done
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
Finally, this update is for trusty only. Xenial doesn't have ESM yet, and updating update-notifier there would be an useless download for users, with a regression risk for no benefit.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty/xenial/bionic/focal lxd from ua-client/proposed PPA.
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
Test Script:
#!/bin/bash
#
# SRU Verification update-notifier + ubuntu=advantage-tools
# Test procedure:
# - launch container Trusty, Xenial or Bionic
# - Install ubuntu-advantage-tools from https://launchpad.net/~ua-client/+archive/ubuntu/proposed which supports esm on trusty, xenial, bionic, and focal
# - Attach container to UA subscription (which activates the ESM APT repos
# - run apt_check --human-readable to assert ESM pkg counts ARE NOT reported
# - Upgrade update-notifier to -proposed
# - re-run apt_check --human-readable to assert ESM pkg counts ARE reported
set -e
UA_TOKEN=$1
if [ -z "$1" ]; then
echo "Usage: $0 <contractTOKEN>"
exit 1
fi
cat > test-un.yaml <<EOF
#cloud-config
ssh_import_id: [chad.smith]
package_update: true
package_upgrade: true
apt:
sources:
ua.proposed:
source: deb http://ppa.launchpad.net/ua-client/staging/ubuntu \$RELEASE main
keyid: 6E34E7116C0BC933
EOF
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy update-notifier-common
EOF
wait_for_boot() {
local vm=$1 release=$2
echo "--- Wait for cloud-init to finish"
sleep 5
lxc exec ${vm} -- cloud-init status --wait --long
}
for release in xenial; do
echo "--- BEGIN $release update-notifier testing"
vm=test-sru-$release
echo "--- Launch cloud-init with ppa:ua-client/proposed enabled"
lxc launch ubuntu-daily:${release} ${vm} -c user.user-data="$(cat test-un.yaml)"
wait_for_boot ${vm} ${release}
echo "--- Attach Ubuntu-Advantage, enabling services"
lxc exec ${vm} -- ua attach ${UA_TOKEN}
case "$release" in
xenial)
UPGRADE_MATCH="0 updates are security updates";
downrev_pkg="libkrad0=1.13.2+dfsg-5";;
bionic)
UPGRADE_MATCH="1 update is a security update"
downrev_pkg="libkrad0=1.16-2build1";;
focal)
UPGRADE_MATCH="0 updates are security updates"
downrev_pkg="hello=2.10-2ubuntu2";;
groovy)
UPGRADE_MATCH="1 of these updates is a security update"
downrev_pkg="apport-retrace=2.20.11-0ubuntu50";;
esac
echo "-- Downgrading package to stable ubuntu release $downrev_pkg"
lxc exec ${vm} -- apt-get install $downrev_pkg --yes -q
lxc exec ${vm} -- dpkg-query --show update-notifier
if [ "$release" = "xenial" ]; then
# Xenial-updates and xenial-security have already included esm PPA package updates.
# Drop the xenial-updates and xenial-security apt sources so we can be sure we are seeing only
# available esm updates
lxc exec ${vm} -- sed -e "/xenial-updates/ s/^#*/#/" -i /etc/apt/sources.list
lxc exec ${vm} -- sed -e "/xenial-security/ s/^#*/#/" -i /etc/apt/sources.list
lxc exec ${vm} -- apt-get update
fi
MOTD=`lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable`
echo ${MOTD}
POST_UPGRADE_MSG="UA Infra: Extended Security Maintenance (ESM) is enabled"
echo $MOTD | grep -q "${POST_UPGRADE_MSG}" && echo "FAILURE: found ${POST_UPGRADE_MSG}" || echo "SUCCESS: did not find ${POST_UPGRADE_MSG=}"
echo $MOTD | grep -q "${UPGRADE_MATCH}" && echo "SUCCESS: found ${UPGRADE_MATCH} security updates pre-upgrade" || echo "FAILURE: did not find expected ${UPGRADE_MATCH} ESM security updates"
echo "--- Upgrade update-notifier from -proposed"
lxc file push setup_proposed.sh ${vm}/
lxc exec ${vm} -- bash /setup_proposed.sh | grep update-notifier
lxc exec ${vm} -- dpkg-query --show update-notifier
MOTD=`lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable`
echo $MOTD | grep -q "${POST_UPGRADE_MSG}" && echo "SUCCESS: found ${POST_UPGRADE_MSG}" || echo "FAILURE: did not find ${POST_UPGRADE_MSG=}"
echo "--- Expect non-zero upgradable packages for MOTD from apt_check AFTER upgrade"
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable | grep '1 of these updates is a security update' && echo "SUCCESS: found 1 ESM security updates pre-upgrade" || echo "FAILURE: did not find expected 1 ESM security updates"
done
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
Finally, this update is for trusty only. Xenial doesn't have ESM yet, and updating update-notifier there would be an useless download for users, with a regression risk for no benefit.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
|
2020-12-27 21:53:37 |
Chad Smith |
tags |
patch rls-gg-incoming verification-done-bionic verification-needed verification-needed-xenial |
patch rls-gg-incoming verification-done verification-done-bionic verification-done-xenial |
|
2021-01-05 17:02:49 |
Chad Smith |
description |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty/xenial/bionic/focal lxd from ua-client/proposed PPA.
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
Test Script:
#!/bin/bash
#
# SRU Verification update-notifier + ubuntu=advantage-tools
# Test procedure:
# - launch container Trusty, Xenial or Bionic
# - Install ubuntu-advantage-tools from https://launchpad.net/~ua-client/+archive/ubuntu/proposed which supports esm on trusty, xenial, bionic, and focal
# - Attach container to UA subscription (which activates the ESM APT repos
# - run apt_check --human-readable to assert ESM pkg counts ARE NOT reported
# - Upgrade update-notifier to -proposed
# - re-run apt_check --human-readable to assert ESM pkg counts ARE reported
set -e
UA_TOKEN=$1
if [ -z "$1" ]; then
echo "Usage: $0 <contractTOKEN>"
exit 1
fi
cat > test-un.yaml <<EOF
#cloud-config
ssh_import_id: [chad.smith]
package_update: true
package_upgrade: true
apt:
sources:
ua.proposed:
source: deb http://ppa.launchpad.net/ua-client/staging/ubuntu \$RELEASE main
keyid: 6E34E7116C0BC933
EOF
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy update-notifier-common
EOF
wait_for_boot() {
local vm=$1 release=$2
echo "--- Wait for cloud-init to finish"
sleep 5
lxc exec ${vm} -- cloud-init status --wait --long
}
for release in xenial; do
echo "--- BEGIN $release update-notifier testing"
vm=test-sru-$release
echo "--- Launch cloud-init with ppa:ua-client/proposed enabled"
lxc launch ubuntu-daily:${release} ${vm} -c user.user-data="$(cat test-un.yaml)"
wait_for_boot ${vm} ${release}
echo "--- Attach Ubuntu-Advantage, enabling services"
lxc exec ${vm} -- ua attach ${UA_TOKEN}
case "$release" in
xenial)
UPGRADE_MATCH="0 updates are security updates";
downrev_pkg="libkrad0=1.13.2+dfsg-5";;
bionic)
UPGRADE_MATCH="1 update is a security update"
downrev_pkg="libkrad0=1.16-2build1";;
focal)
UPGRADE_MATCH="0 updates are security updates"
downrev_pkg="hello=2.10-2ubuntu2";;
groovy)
UPGRADE_MATCH="1 of these updates is a security update"
downrev_pkg="apport-retrace=2.20.11-0ubuntu50";;
esac
echo "-- Downgrading package to stable ubuntu release $downrev_pkg"
lxc exec ${vm} -- apt-get install $downrev_pkg --yes -q
lxc exec ${vm} -- dpkg-query --show update-notifier
if [ "$release" = "xenial" ]; then
# Xenial-updates and xenial-security have already included esm PPA package updates.
# Drop the xenial-updates and xenial-security apt sources so we can be sure we are seeing only
# available esm updates
lxc exec ${vm} -- sed -e "/xenial-updates/ s/^#*/#/" -i /etc/apt/sources.list
lxc exec ${vm} -- sed -e "/xenial-security/ s/^#*/#/" -i /etc/apt/sources.list
lxc exec ${vm} -- apt-get update
fi
MOTD=`lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable`
echo ${MOTD}
POST_UPGRADE_MSG="UA Infra: Extended Security Maintenance (ESM) is enabled"
echo $MOTD | grep -q "${POST_UPGRADE_MSG}" && echo "FAILURE: found ${POST_UPGRADE_MSG}" || echo "SUCCESS: did not find ${POST_UPGRADE_MSG=}"
echo $MOTD | grep -q "${UPGRADE_MATCH}" && echo "SUCCESS: found ${UPGRADE_MATCH} security updates pre-upgrade" || echo "FAILURE: did not find expected ${UPGRADE_MATCH} ESM security updates"
echo "--- Upgrade update-notifier from -proposed"
lxc file push setup_proposed.sh ${vm}/
lxc exec ${vm} -- bash /setup_proposed.sh | grep update-notifier
lxc exec ${vm} -- dpkg-query --show update-notifier
MOTD=`lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable`
echo $MOTD | grep -q "${POST_UPGRADE_MSG}" && echo "SUCCESS: found ${POST_UPGRADE_MSG}" || echo "FAILURE: did not find ${POST_UPGRADE_MSG=}"
echo "--- Expect non-zero upgradable packages for MOTD from apt_check AFTER upgrade"
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable
lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable | grep '1 of these updates is a security update' && echo "SUCCESS: found 1 ESM security updates pre-upgrade" || echo "FAILURE: did not find expected 1 ESM security updates"
done
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
Finally, this update is for trusty only. Xenial doesn't have ESM yet, and updating update-notifier there would be an useless download for users, with a regression risk for no benefit.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
[Impact]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
[Test Case]
* Launch a trusty/xenial/bionic/focal lxd from ua-client/proposed PPA.
* Run the script that displays the motd bit about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* The output should be something like this, signaling there are only ESM updates available:
"""
UA Infrastructure Extended Security Maintenance (ESM) is not enabled.
0 updates can be installed immediately.
0 of these updates are security updates.
Enable UA Infrastructure ESM to receive 88 additional security updates.
See https://ubuntu.com/advantage or run: sudo ua status
"""
* Obtain an UA token for free at https://ubuntu.com/advantage
* Run attach:
sudo ua attach <token-obtained-in-previous-step>
* Confirm that esm-infra was enabled:
sudo ua status
* Run this command again to display the motd banner output about available updates:
sudo /usr/lib/update-notifier/apt-check --human-readable
* You should get something like this without the fix for this bug:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
89 updates can be installed immediately.
89 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
* In the output above, which is without the fix, note how none of the available updates are flagged as security
* With the updated update-notifier package, the security updates count correctly includes the ESM security updates:
"""
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
88 updates can be installed immediately.
88 of these updates are provided through UA Infrastructure ESM.
85 of these updates are security updates.
To see these additional updates run: apt list --upgradable
"""
Test Script:
#!/bin/bash
#
# SRU Verification update-notifier + ubuntu=advantage-tools
# Test procedure:
# - launch container Trusty, Xenial or Bionic
# - Install ubuntu-advantage-tools from https://launchpad.net/~ua-client/+archive/ubuntu/proposed which supports esm on trusty, xenial, bionic, and focal
# - Attach container to UA subscription (which activates the ESM APT repos
# - run apt_check --human-readable to assert ESM pkg counts ARE NOT reported
# - Upgrade update-notifier to -proposed
# - re-run apt_check --human-readable to assert ESM pkg counts ARE reported
set -e
UA_TOKEN=$1
if [ -z "$1" ]; then
echo "Usage: $0 <contractTOKEN>"
exit 1
fi
cat > test-un.yaml <<EOF
#cloud-config
ssh_import_id: [chad.smith]
package_update: true
package_upgrade: true
apt:
sources:
ua.proposed:
source: deb http://ppa.launchpad.net/ua-client/staging/ubuntu \$RELEASE main
keyid: 6E34E7116C0BC933
EOF
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy update-notifier-common
EOF
find_substr() {
local needle="$1" haystack="$2"
echo $haystack | grep -q "${needle}" && echo "SUCCESS: found ${needle}" || echo "FAILURE: did not find ${needle}"
}
dont_find_substr() {
local needle="$1" haystack="$2"
echo $haystack | grep -q "${needle}" && echo "FAILURE: found ${needle}" || echo "SUCCESS: did not find ${needle}"
}
wait_for_boot() {
local vm=$1 release=$2
echo "--- Wait for cloud-init to finish"
sleep 5
lxc exec ${vm} -- cloud-init status --wait --long
}
for release in focal; do
echo "--- BEGIN $release update-notifier testing"
vm=test-sru-$release
echo "--- Launch cloud-init with ppa:ua-client/proposed enabled"
lxc launch ubuntu-daily:${release} ${vm} -c user.user-data="$(cat test-un.yaml)"
wait_for_boot ${vm} ${release}
echo "--- Attach Ubuntu-Advantage, enabling services"
lxc exec ${vm} -- ua attach ${UA_TOKEN}
case "$release" in
xenial)
UPGRADE_MATCH="0 updates are security updates";
downrev_pkg="libkrad0=1.13.2+dfsg-5";;
bionic)
UPGRADE_MATCH="1 update is a security update"
downrev_pkg="libkrad0=1.16-2build1";;
focal)
UPGRADE_MATCH="0 of these updates are security updates"
downrev_pkg="hello=2.10-2ubuntu2";;
groovy)
UPGRADE_MATCH="1 of these updates is a security update"
downrev_pkg="apport-retrace=2.20.11-0ubuntu50";;
esac
echo "-- Downgrading package to stable ubuntu release $downrev_pkg"
lxc exec ${vm} -- apt-get install $downrev_pkg --yes -q
lxc exec ${vm} -- dpkg-query --show update-notifier
if [ "$release" = "xenial" ]; then
# Xenial-updates have already included esm package updates.
# Drop the xenial-updates apt source so we can be sure we are seeing only
# available esm updates
lxc exec ${vm} -- sed -e "/xenial-updates/ s/^#*/#/" -i /etc/apt/sources.list
lxc exec ${vm} -- sed -e "/xenial-security/ s/^#*/#/" -i /etc/apt/sources.list
lxc exec ${vm} -- apt-get update
fi
MOTD=`lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable`
echo -e ${MOTD}
PRE_UPGRADE_MSG="UA Infrastructure Extended Security Maintenance (ESM) is enabled."
POST_UPGRADE_MSG="UA Infra: Extended Security Maintenance (ESM) is enabled"
find_substr "${PRE_UPGRADE_MSG}" "${MOTD}"
dont_find_substr "${POST_UPGRADE_MSG}" "${MOTD}"
find_substr "${UPGRADE_MATCH}" "${MOTD}"
echo "--- Upgrade update-notifier from -proposed"
lxc file push setup_proposed.sh ${vm}/
lxc exec ${vm} -- bash /setup_proposed.sh | grep update-notifier
lxc exec ${vm} -- dpkg-query --show update-notifier
MOTD=`lxc exec ${vm} -- /usr/lib/update-notifier/apt-check --human-readable`
echo -e $MOTD
find_substr "${POST_UPGRADE_MSG}" "${MOTD}"
echo "--- Expect non-zero upgradable packages for MOTD from apt_check AFTER upgrade"
find_substr "1 of these updates is a security update" "${MOTD}"
done
[Regression Potential]
The fix is replacing the old incorrect name (<distro>-security) of the ESM security pocket with the correct one (<distro>-infra-security). The old name came from the old ubuntu-advantage-tools bash client, version 10. If this name remains incorrect, the security update coming from ESM won't be counted, which is exactly this bug. So the regression potential in this one liner is that it remains uncounted.
[Other Info]
Instead of fixing the pocket's name, we could have *added* a new pocket with the current correct name, since the server part of ESM responds to both trusty-security and trusyt-infra-security (with origin UbuntuESM).
The reasons we didn't do that are:
- only the old bash client (version 10) used the old pocket name, and it's not available for trusty anymore (unless you go to https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+publishinghistory and fetch it)
- there was a concern about potentially counting updates twice, if both trusty-security and trusty-infra-security were enabled at the same time
- the upgrade from the bash client (v10) to the current client DOES NOT change the pocket name in the sources.list snippet for ESM, so in that brief moment after an upgrade and before a reattach, the count would be zero just like in this bug. HOWEVER, it's a known process that after upgrading from the bash client to the current one, the machine has to be attached again. See the last paragraph of the description in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757, which is when the non-bash client was SRUed, reproduced below:
"""
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
"""
The process of attaching will rewrite the pocket name in the local sources.list file snippet from trusty-security to trusty-infra-security.
Finally, this update is for trusty only. Xenial doesn't have ESM yet, and updating update-notifier there would be an useless download for users, with a regression risk for no benefit.
[Original Description]
ESM-related Security pocket packages are not reported being classified as security due to a rename in the backend apt suites from esm-security -> esm-infra-security and esm-apps-security.
The customer issue reported catches the symptom well:
"""
I believe there's a problem with "apt_check.py" in the "update-notifier-common" package when using "ua". I have enabled "ua" via "ua attach" and yet "apt-check" shows updates, but does not specify they are security updates, even though they are:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Note, these are the packages:
mrussell@deputy:~$ apt list --upgradable
Listing... Done
apt/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable
from: 1.0.1ubuntu2.24]
apt-transport-https/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
apt-utils/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-inst1.5/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libapt-pkg4.12/trusty-infra-security 1.0.1ubuntu2.24+esm1 amd64 [upgradable from: 1.0.1ubuntu2.24]
libjson-c2/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
libjson0/trusty-infra-security 0.11-3ubuntu1.2+esm3 amd64 [upgradable from: 0.11-3ubuntu1.2+esm2]
If I change "isSecurityUpgrade()" to also include this
value in "security_pockets": ("UbuntuESM", "%s-infra-security" % DISTRO),
then, the output is correct:
mrussell@deputy:~$ /usr/lib/update-notifier/apt-check --human-readable
UA Infrastructure Extended Security Maintenance (ESM) is enabled.
8 updates can be installed immediately.
8 of these updates are provided through UA Infrastructure ESM.
8 of these updates are security updates.
To see these additional updates run: apt list --upgradable
""" |
|
2021-01-05 17:03:27 |
Chad Smith |
tags |
patch rls-gg-incoming verification-done verification-done-bionic verification-done-xenial |
patch rls-gg-incoming verification-done verification-done-bionic verification-done-focal verification-done-xenial |
|
2021-01-05 19:22:54 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2021-01-05 19:22:48 |
Launchpad Janitor |
update-notifier (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2021-01-05 19:25:17 |
Launchpad Janitor |
update-notifier (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2022-03-08 10:21:16 |
Gerrit Hannaert |
bug |
|
|
added subscriber Gerrit Hannaert on behalf of BASF AppStore Team |
2022-09-22 16:48:02 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lamoura/ubuntu/+source/update-notifier/+git/update-notifier/+merge/430317 |
|
2022-09-22 16:48:57 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lamoura/ubuntu/+source/update-notifier/+git/update-notifier/+merge/430318 |
|