snap USN notifications reporting binaries with different versions than source as out of date when they are not
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
USN Tool |
Invalid
|
Undecided
|
Unassigned | ||
Ubuntu CVE Tracker |
Fix Released
|
Undecided
|
Alex Murray | ||
review-tools |
Fix Released
|
Undecided
|
Jamie Strandboge |
Bug Description
$ apt-cache showsrc
Package: libreoffice
...
Version: 1:6.0.7-
...
$ apt-cache policy libreoffice-impress
libreoffice-
Installed: (none)
Candidate: 1:6.0.7-
Version table:
1:
500 http://
500 http://
1:
500 http://
In the above two, the source version and the binary version match, but with uno-libs3, built from this source, it is not (the epoch is dropped):
$ apt-cache policy uno-libs3
uno-libs3:
Installed: (none)
Candidate: 6.0.7-0ubuntu0.
Version table:
6.
500 http://
500 http://
6.0.3-0ubuntu1 500
500 http://
snapcraft correctly add to snap/manifest.yaml the epoch-less version:
stage-packages:
- uno-libs3=
Until recently, usndb didn't have enough information for the review-tools to handle this situation since it only contained the source version, 'affected binaries' (ie, a subset of binary debs) and a list of urls (and urls drop the epoch), so the review-tools would try to guess by adding the epoch, which means that 6.0.7-0ubuntu0.
Recently usndb added "allbinaries" which lists all the debs, but unfortunately it is guessing the epoch as well, so the review-tools can't use this and fallback to guessing with older USNs. Eg, the problem is that usndb is adding the epoch when it shouldn't:
...
"bionic": {
"allbinaries": {
"libreoffic
"version": "1:6.0.
},
...
"uno-libs3": {
"version": "1:6.0.
},
...
For the review-tools to be fixed, several things need to happen:
- the review-tools should use "allbinaries" when it is available and fallback to guessing when it is not
- the ubuntu-cve-tracker needs to be adjusted to put the right versions in "allbinaries"
- the review-tools can improve the situation immediately by building up a list of exceptional cases by looking at Packages files for the LTSs and then overriding. This would improve the guesswork/fallback situation moving forward.
Related branches
- Jamie Strandboge (community): Approve
- Steve Beattie: Pending requested
-
Diff: 135 lines (+43/-7)2 files modifiedscripts/sis-changes (+22/-7)
scripts/sis-generate-usn (+21/-0)
Changed in ubuntu-cve-tracker: | |
status: | New → Triaged |
Changed in review-tools: | |
status: | New → Triaged |
description: | updated |
Changed in usn-tool: | |
status: | New → Invalid |
Changed in ubuntu-cve-tracker: | |
assignee: | nobody → Alex Murray (alexmurray) |
Please review the following merge proposal https:/ /code.launchpad .net/~alexmurra y/ubuntu- cve-tracker/ +git/ubuntu- cve-tracker/ +merge/ 371983