Ship ubuntu-advantage in ubuntu-minimal

debdiff for base-files on precise

Status changed to 'Confirmed' because the bug affects multiple users.

This introduces a python dependency to base-files, which I think is incorrect. I think the decision to choose base-files should be reevaluated.

From the point of view of end-users, regardless if the script is in base-files or in its own package, the same number of apt commands will be needed either way.

It's either:
apt-get update
apt-get dist-upgrade
ubuntu-advantage enable-esm <token>

or:
apt-get update
apt-get install ubuntu-advantage
ubuntu-advantage enable-esm <token>

In its own package it can have its own copyright, manpage, correct dependencies, its own source tarball, tests (which were stripped from the debdiff here), upstream url, nice description, etc.

The difference here is a supported machine is up to date, even if it only has the minimum packages installed.

Asking for another package to be installed to be "supported" is a small bit of friction that can be removed by delivering the script with basefiles.

Updated debdiff attached. Changes:
- the ubuntu-advantage script is now shell (/bin/sh)
- install an MOTD script that will print a banner informing the status of ESM

The key UID is interesting. It is "Ubuntu ESM <email address hidden>" is this an appropriate user facing uid that is listed in the output of $ apt-key list?

Our current key names are a bit more descriptive than that, e.g.:
* Ubuntu Archive Automatic Signing Key <email address hidden>
* Ubuntu CD Image Automatic Signing Key <email address hidden>

Have you considered changing UID to e.g.
 * Ubuntu Extended Security Maintenance Automatic Signing Key <email address hidden>

Such that it is descriptive, and has email address that is user/public facing.

prodstack-cdo seems like an internal email address, which is not customer facing.

* the key should be shipped as a key fragment in /usr/share/keyrings/ubuntu-keyring-extended-security-maintainance.gpg

* the shell script should simply copy that key fragment into /etc/apt/trusted.gpg.d/ upon enablement of the ESM repository

* there should not be encoded binary in the shell script, and no need to call apt-key; just a cp.

* the script should check for and install apt-transport-https if missing

<email address hidden> actually might be a better email address, following on ftpmaster@ cdimage@ pattern.

The key was updated, is there an updated export of it available?

I pushed it to keyserver.ubuntu.com, key id 67C7A026

I can't use a debdiff here anymore because the new key is a binary file. I created a git branch here:

https://code.launchpad.net/~ahasenack/ubuntu/+source/base-files/+git/base-files/+ref/ubuntu-advantage-sru

Is that enough for your review? Should I make an MP against the precise-updates packaging branch imported at https://code.launchpad.net/~usd-import-team/ubuntu/+source/base-files/+git/base-files ?

Status changed to 'Confirmed' because the bug affects multiple users.

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

An upload of ubuntu-meta to precise-proposed has been rejected from the upload queue for the following reason: "unexpected changes to desktop seed".

Hello David, or anyone else affected,

Accepted ubuntu-meta into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-meta/1.267.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

$ ubuntu-advantage
usage: ubuntu-advantage [enable-esm|disable-esm]

Enable or disable the Ubuntu Extended Security Maintenance archive.

Parameters:
 enable-esm <token> enable the ESM repository
 disable-esm disable the ESM repository

the <token> argument must be in the form "user:password"

$ sudo ubuntu-advantage enable-esm <token>
[sudo] password for vorlon:
Running apt-get update...
W: Failed to fetch https://esm.ubuntu.com/ubuntu/dists/precise/Release Unable to find expected entry 'main/binary-armhf/Packages' in Release file (Wrong sources.list entry or malformed file)

E: Some index files failed to download. They have been ignored, or old ones used instead.
$

Having foreign-arch multiarch enabled on 12.04 is a pretty marginal use case. ;) Should we care about filtering out unsupported ports architectures when constructing the sources.list.d file?

discussed the above error with the team:
- non-x86 multiarch is a quite minor use case on precise
- it is not clear that esm.ubuntu.com is intended to be x86-only, or that it will remain so indefinitely

So we will not limit the sources.list.d entry by architecture, which could do more harm than good, and so I'm considering this verified.

This bug was fixed in the package ubuntu-advantage-tools - 1

---------------
ubuntu-advantage-tools (1) precise; urgency=medium

  * Initial Release. LP: #1686183

 -- Dimitri John Ledkov <email address hidden> Fri, 28 Apr 2017 15:04:47 +0100

The verification of the Stable Release Update for ubuntu-advantage-tools has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package ubuntu-meta - 1.267.2

---------------
ubuntu-meta (1.267.2) precise; urgency=medium

  * Refreshed dependencies
  * Added ubuntu-advantage-tools to minimal LP: #1686183

 -- Dimitri John Ledkov <email address hidden> Fri, 28 Apr 2017 16:12:30 +0100

This package needs to be brought forward to post-trusty releases, but the motd script currently hard-codes 12.04 in its message so this shouldn't be a straight forward-copy.

I have a candidate for this to be submitted into artful, and then we can work on the SRU back to trusty after it's accepted. As this one went a bit out of order (precise first after it EOLed!), I'll just attach the git tag in upstream:

https://github.com/CanonicalLtd/ubuntu-advantage-script/releases/tag/v2

Currently the script does nothing for newer releases of Ubuntu. Once those release go EOL and an ESM product is available for them, we will request an SRU with new bits. But, that will be a while.

This is bit of a funky SRU (IMO). It seems like we want version 2 (from the linked repository) in all releases > 12.04. However, given that is not yet present in any release != 12.04, I'm not sure we need to worry about the exact version (that is, they can all be 2?).

My immediate feedback is the debian/changelog from the linked repo should be for artful, not precise. Then that can be backported (I think) to all releases != 12.04. If this already existed, it seems like it would say "trusty" and then have been copied forward.

On Wed, Jul 19, 2017 at 12:06:52PM -0000, Nish Aravamudan wrote:
> This is bit of a funky SRU (IMO). It seems like we want version 2 (from
> the linked repository) in all releases > 12.04. However, given that is
> not yet present in any release != 12.04, I'm not sure we need to worry
> about the exact version (that is, they can all be 2?).

> My immediate feedback is the debian/changelog from the linked repo
> should be for artful, not precise. Then that can be backported (I think)
> to all releases != 12.04. If this already existed, it seems like it
> would say "trusty" and then have been copied forward.

As discussed in person, if we are going to use a single version and pocket
copy it, we should upload to trusty and then copy forward rather than
uploading to artful and copying backward.

Hello -- this is ready for a re-review:

https://github.com/CanonicalLtd/ubuntu-advantage-script/releases/tag/v2

release has been changed to 'trusty' in the changelog.

A bashism was found in the dep8 test, this has now been removed. The new package can be found here:

https://github.com/CanonicalLtd/ubuntu-advantage-script/releases/tag/v2-upload3

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

This bug was fixed in the package ubuntu-advantage-tools - 2

---------------
ubuntu-advantage-tools (2) trusty; urgency=medium

  * ubuntu-advantage & /etc/update-motd.d/99-esm now build, run and are quiet
    on non-precise release. (LP: #1686183)
  * Add simple dep8 tests.
  * Also install ca-certificates (LP: #1690270)

 -- David Britton <email address hidden> Fri, 30 Jun 2017 15:20:00 -0600

Trusty verification using the ubuntu-advantage-tools package from trusty-proposed:
 *** 2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages

a) enabling esm
Installation works, but enabling esm is not a good experience:
"""
$ sudo ubuntu-advantage enable-esm <redacted>
Running apt-get update...
W: Failed to fetch https://esm.ubuntu.com/ubuntu/dists/trusty/main/binary-amd64/Packages HttpError404

E: Some index files failed to download. They have been ignored, or old ones used instead.
$ echo $?
100
"""

Since there is no ESM for non-precise Ubuntu releases, it fails correctly with a 404 error. Is that acceptable?

b) MOTD
There is no mention of ESM, precise, or looming end-of-life in the MOTD when logging in, so that's good.

Xenial verification with ubuntu-advantage-tools 2 from xenial-proposed:
 *** 2 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages

a) Since there is no ESM avaiable for xenial, enabling esm fails:
ubuntu@xenial-ubuntu-advantage:~$ sudo ubuntu-advantage enable-esm <redacted>
Running apt-get update...
W: The repository 'https://esm.ubuntu.com/ubuntu xenial Release' does not have a Release file.
E: Failed to fetch https://esm.ubuntu.com/ubuntu/dists/xenial/main/binary-amd64/Packages 404 Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.
ubuntu@xenial-ubuntu-advantage:~$ echo $?
100

apt-get update commands will continue to fail like above until ESM is disabled with "sudo ubuntu-advantage disable-esm".

b) MOTD is unaffected by esm, enabled or not, since we are not running on precise.

Zesty verification with ubuntu-advantage-tools 2 from zesty-proposed:
 *** 2 500
        500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/main amd64 Packages

a) Since there is no ESM for zesty, the enable-esm command fails with a 404 Not found error:
$ sudo ubuntu-advantage enable-esm <redacteD>
Running apt-get update...
W: The repository 'https://esm.ubuntu.com/ubuntu zesty Release' does not have a Release file.
E: Failed to fetch https://esm.ubuntu.com/ubuntu/dists/zesty/main/binary-amd64/Packages 404 Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.

apt-get update will remain in this state until esm is disabled. This will probably affect the "package update count" message that is displayed in the MOTD (unrelated to ubuntu-advantage or ESM), since apt-get update is erroring.

b) No ubuntu-advantage related messages are shown in MOTD, regardless if esm is enabled or not, which is correct for non-precise releases of Ubuntu.

To summarize, as expected, all non-precise releases behave the same:

a) enable-esm fails with a valid token because ESM is not available for non-precise ubuntu releases. That causes apt-get update to fail with a 404. The situation is resolved by running the disable-esm command.

b) MOTD gets no ubuntu-advantage or esm related messages, regardless if esm is enabled or not. This is correct, since esm is only available for precise, and ubuntu-advantage has no other functionality.

After having done the above passes on trusty, xenial and zesty, I decided to take another pass and verify that if ca-certificates or apt-transport-https are missing, that ubuntu-advantage would install them. This already happens on precise, but maybe the package names or dependencies changed in other releases.

To properly test this I configured apt to not install recommends by default, otherwise just by installing apt-transport-https we would already get ca-certificates. I'm going to update the [Test Case] section of this SRU about this extra test and its preparation:

$ cat /etc/apt/apt.conf.d/no-recommends
APT::Install-Recommends "false";

Here are the results:

a) zesty:
ubuntu@zesty-ubuntu-advantage:~$ sudo ubuntu-advantage enable-esm <redacted>
Installing missing dependency apt-transport-https
Installing missing dependency ca-certificates
Running apt-get update...
(...)

b) xenial:
ubuntu@xenial-ubuntu-advantage:~$ sudo ubuntu-advantage enable-esm <redacted>
Installing missing dependency apt-transport-https
Installing missing dependency ca-certificates
Running apt-get update...
(...)

c) trusty:
ubuntu@trusty-ubuntu-advantage-1686183:~$ sudo ubuntu-advantage enable-esm <redacted>
Installing missing dependency apt-transport-https
Installing missing dependency ca-certificates
Running apt-get update...
(...)

This bug was fixed in the package ubuntu-advantage-tools - 2

---------------
ubuntu-advantage-tools (2) trusty; urgency=medium

  * ubuntu-advantage & /etc/update-motd.d/99-esm now build, run and are quiet
    on non-precise release. (LP: #1686183)
  * Add simple dep8 tests.
  * Also install ca-certificates (LP: #1690270)

 -- David Britton <email address hidden> Fri, 30 Jun 2017 15:20:00 -0600

Status changed to 'Confirmed' because the bug affects multiple users.

This bug was fixed in the package ubuntu-meta - 1.400

---------------
ubuntu-meta (1.400) artful; urgency=medium

  * Refreshed dependencies
  * Removed gnome-software-plugin-snap from desktop-recommends [s390x]
  * Added ubuntu-advantage-tools to minimal. LP: #1686183.

 -- Steve Langasek <email address hidden> Fri, 22 Sep 2017 03:46:23 +0000

I would like to ask you to reconsider the decision to make ubuntu-minimal depend on ubuntu-advantage-tools.

You can skip this paragraph if you're in a hurry. First, thank you for holding this discussion in the open. I totally understand the marketing reasons for this: I depend on Canonical's distribution, and want Canonical to offer their paying customers a fantastic out-of-the-box experience so that they can continue to offer their services to the general public, too.

That said, the ubuntu-advantage-tools package is not in fact strictly necessary to allow the machine to boot, detect hardware, connect to a network, install packages or perform basic diagnostics. With ubuntu-minimal 1.400, this is now essentially a mandatory piece of software that will, at best, emit an error message.

Would changing the relationship from Depends to Recommends meet your requirements (automatic setup on every Ubuntu machine) while allowing manual removal of the package?

Actually, one could argue that the ubuntu-minimal package on non-LTS releses should Conflict, not Depend, on ubuntu-advantage-tools. This ought to cause for the automatic removal of the package when dist-upgrading to a non-LTS release. That would give the package scripts a chance to warn the system administrator that they are about to give up on the benefits of their paid subscription.

> With ubuntu-minimal version 1.400 on artful, this is now essentially a mandatory piece of software that will, at best, emit an error message.

I accidentally missed a couple of critical words from that sentence. Apologies.

Thanks for the feedback.

On Fri, Sep 22, 2017 at 05:46:36PM -0000, bp wrote:
> You can skip this paragraph if you're in a hurry. First, thank you for
> holding this discussion in the open. I totally understand the marketing
> reasons for this: I depend on Canonical's distribution, and want Canonical
> to offer their paying customers a fantastic out-of-the-box experience so
> that they can continue to offer their services to the general public, too.

I want to be clear that, although Canonical benefits financially from users
signing up for paid extended support through ESM, the rationale for
including the package in ubuntu-minimal is not a "marketing" one. Rather,
the intent is to ensure users who have opted into the paid ESM service have
a seamless process for enabling it on their system. We do want users whose
systems are EOL and no longer security supported to know what their options
are (upgrades, or paid ESM), but including ubuntu-advantage-tools in
ubuntu-minimal is not intended to discourage users from upgrading.

> That said, the ubuntu-advantage-tools package is not in fact strictly
> necessary to allow the machine to boot, detect hardware, connect to a
> network, install packages or perform basic diagnostics. With ubuntu-
> minimal 1.400, this is now essentially a mandatory piece of software
> that will, at best, emit an error message.

There are a number of packages pulled in by ubuntu-minimal that could be
removed and still technically fulfill the capabilities listed in the
package's description; they would just make it more inconvenient and awkward
to do so.

ubuntu-advantage-tools certainly falls under the header of 'install
packages' - which is more than can be said of e.g. the tzdata and locales
packages.

As far as emitting error messages: while none of the package services
currently provided by this tool are available on non-LTS releases, it is not
impossible that these would be available in the future depending on
commercial demand. In the meantime, I think it's a far better user
experience to run the documented command and be told 'this service not
available for this release' than to try to run it and be told 'command not
found', and it was with this in mind that I supported including this package
in non-LTS releases.

> Would changing the relationship from Depends to Recommends meet your
> requirements (automatic setup on every Ubuntu machine) while allowing
> manual removal of the package?

We would have to verify this empirically. I'm not altogether opposed to it,
but I also don't see what advantage it brings our users. The
ubuntu-advantage-tools package is:

Installed-Size: 36.9 kB
Download-Size: 11.3 kB

and has zero added dependencies. And most of the current size is the
archive keys, which if they weren't in ubuntu-advantage-tool would certainly
be in ubuntu-keyring (and indeed, we might still move them there), which is
also part of ubuntu-minimal.

So from a technical point of view, what benefit is there to making the
package removable?

I would note that it would be entirely possible to bundle these scripts with
some other base package; and I think it's really only because this is a
separate package that i...

Unsubscribing ~ubuntu-sponsors as there seems to be nothing to sponsor here.

Hello David, or anyone else affected,

Accepted ubuntu-meta into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-meta/1.361.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello David, or anyone else affected,

Accepted ubuntu-meta into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-meta/1.325.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Upon upgrading to 1.325.1 on trusty, ubuntu-minimal pulled in ubuntu-advantage-tools which got installed and ubuntu-advantage command became present and operational.

Upon upgrading to 1.361.2 on xenial, ubuntu-minimal pulled in ubuntu-advantage-tools which got installed and ubuntu-advantage command became present and operational.

This bug was fixed in the package ubuntu-meta - 1.325.1

---------------
ubuntu-meta (1.325.1) trusty; urgency=medium

  * Refreshed dependencies
  * Added ubuntu-advantage-tools to minimal LP: #1686183
  * Manually updated to include ubuntu-advantage-tools addition only.

 -- Dimitri John Ledkov <email address hidden> Thu, 25 Oct 2018 10:38:11 +0100

This bug was fixed in the package ubuntu-meta - 1.361.2

---------------
ubuntu-meta (1.361.2) xenial; urgency=medium

  * Refreshed dependencies
  * Added ubuntu-advantage-tools to minimal LP: #1686183
  * Update config to use git, and all pockets.
  * Note above is added by monkey-patching germinate to not exclude
    minimal packages, which do not appear in debootstrap output.

 -- Dimitri John Ledkov <email address hidden> Thu, 25 Oct 2018 10:13:59 +0100

Bug 1950692 and this mailing list thread https://lists.ubuntu.com/archives/ubuntu-devel/2021-November/041688.html are follow ups from comments 42 and 44 requesting that the ubuntu-advantage-tools package be removable. If you want this, please participate in the discussion - otherwise it's unlikely to happen.

Just to add, the file listed at https://ubuntu.com/legal/motd to combat this package's "feature" since it cannot be removed, no longer exists in Jammy, 22.04.