[Touch-packages] [Bug 1788486] Re: apt behaviour when package with strict dependencies rules and version -gt in -updates than -security.
All I can say: If you treat USN reports as binaries then you are
definitely missing security updates.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1788486
Title:
apt behaviour when package with strict dependencies rules and version
-gt in -updates than -security.
Status in apt package in Ubuntu:
Won't Fix
Status in landscape-client package in Ubuntu:
Won't Fix
Status in apt source package in Xenial:
Won't Fix
Status in landscape-client source package in Xenial:
Won't Fix
Status in apt source package in Bionic:
Won't Fix
Status in landscape-client source package in Bionic:
Won't Fix
Bug description:
[Impact]
We notice that situation while investigating a security update using
Landscape, but it also applies to 'apt' outside the Landscape context.
'apt' should be smarter to detect/install packages with strict
dependencies such as systemd[1] when a version is specified for
upgrade (Ex: $ apt-get install systemd=229-4ubuntu-21.1).
It should automatically install the dependencies (if any) from that
same version as well instead of failing trying to install the highest
version available (if any) while installing the specified version for
the one mentionned :
$ apt-get install systemd=229-4ubuntu-21.1
"systemd : Depends: libsystemd0 (= 229-4ubuntu21.1) but 229-4ubuntu21.4 is to
be installed"
=
To face that problem :
- Package with lower version should be found in -security ( Ex:
systemd/229-4ubuntu21.1 )
- Package with higher version should be found in -updates ( Ex:
systemd/229-4ubuntu21.4 )
- Package should have strict dependencies ( Ex: libsystemd0 (=
${binary:Version}) )
- The upgrade should only specify version for the package, without it's
dependencies. (Ex: $ apt-get install systemd=229-4ubuntu-21.1" #systemd without
libsystemd0 depends)
Using systemd is a good reproducer, I'm sure finding other package
with the same situation is easy.
It has been easily reproduced with systemd on Xenial and Bionic so
far.
[1] debian/control
Depends: ${shlibs:Depends},
${misc:Depends},
libsystemd0 (= ${binary:Version}),
...
[Workaround]
If package + dependencies are specified, the upgrade work just fine :
Ex: $ apt-get install systemd=229-4ubuntu-21.1
libsystemd0=229-4ubuntu-21.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1788486/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1788486] Re: apt behaviour when package with strict dependencies rules and version -gt in -updates than -security.
I mean, consider the apt one. It lists apt, but the fix is in the binary
libapt-pkg5.0.
I assume you can specify --only-upgrade or what it's called too to
prevent removals (but also new installs). In any case, there is no
solution here.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1788486
Title:
apt behaviour when package with strict dependencies rules and version
-gt in -updates than -security.
Status in apt package in Ubuntu:
Won't Fix
Status in landscape-client package in Ubuntu:
Won't Fix
Status in apt source package in Xenial:
Won't Fix
Status in landscape-client source package in Xenial:
Won't Fix
Status in apt source package in Bionic:
Won't Fix
Status in landscape-client source package in Bionic:
Won't Fix
Bug description:
[Impact]
We notice that situation while investigating a security update using
Landscape, but it also applies to 'apt' outside the Landscape context.
'apt' should be smarter to detect/install packages with strict
dependencies such as systemd[1] when a version is specified for
upgrade (Ex: $ apt-get install systemd=229-4ubuntu-21.1).
It should automatically install the dependencies (if any) from that
same version as well instead of failing trying to install the highest
version available (if any) while installing the specified version for
the one mentionned :
$ apt-get install systemd=229-4ubuntu-21.1
"systemd : Depends: libsystemd0 (= 229-4ubuntu21.1) but 229-4ubuntu21.4 is to
be installed"
=
To face that problem :
- Package with lower version should be found in -security ( Ex:
systemd/229-4ubuntu21.1 )
- Package with higher version should be found in -updates ( Ex:
systemd/229-4ubuntu21.4 )
- Package should have strict dependencies ( Ex: libsystemd0 (=
${binary:Version}) )
- The upgrade should only specify version for the package, without it's
dependencies. (Ex: $ apt-get install systemd=229-4ubuntu-21.1" #systemd without
libsystemd0 depends)
Using systemd is a good reproducer, I'm sure finding other package
with the same situation is easy.
It has been easily reproduced with systemd on Xenial and Bionic so
far.
[1] debian/control
Depends: ${shlibs:Depends},
${misc:Depends},
libsystemd0 (= ${binary:Version}),
...
[Workaround]
If package + dependencies are specified, the upgrade work just fine :
Ex: $ apt-get install systemd=229-4ubuntu-21.1
libsystemd0=229-4ubuntu-21.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1788486/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1788486] Re: apt behaviour when package with strict dependencies rules and version -gt in -updates than -security.
There is a similar situation where apt-get wants to remove packages when
strict dependencies (equal version number) cannot be met. For example
dovecot-core/dovecot-pop3d/dovecot-imapd.
After installing Ubuntu 16.04.3 LTS from the ISO, install the 3 packages
from the release pocket:
$ sudo apt install dovecot-imapd=1:2.2.22-1ubuntu2 \
dovecot-core=1:2.2.22-1ubuntu2 \
dovecot-pop3d=1:2.2.22-1ubuntu2
USN-3587-1 [1] wants dovecot-core to be upgraded to 1:2.2.22-1ubuntu2.7
Trying to upgrade dovecot-core to 1:2.2.22-1ubuntu2.7 will want to
remove dovecot-imapd and dovecot-pop3d:
$ sudo apt-get install --dry-run dovecot-core=1:2.2.22-1ubuntu2.7
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
ntp dovecot-gssapi dovecot-sieve dovecot-pgsql dovecot-mysql dovecot-sqlite
dovecot-ldap dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-managesieved
dovecot-solr
The following packages will be REMOVED:
dovecot-imapd dovecot-pop3d
The following packages will be upgraded:
dovecot-core
1 upgraded, 0 newly installed, 2 to remove and 171 not upgraded.
Remv dovecot-imapd [1:2.2.22-1ubuntu2]
Remv dovecot-pop3d [1:2.2.22-1ubuntu2]
Inst dovecot-core [1:2.2.22-1ubuntu2] (1:2.2.22-1ubuntu2.7
Ubuntu:16.04/xenial-security [amd64])
Conf dovecot-core (1:2.2.22-1ubuntu2.7 Ubuntu:16.04/xenial-security [amd64])
Why? The only package that is *required* to be upgraded (because the USN
specifies it, and because we currently treat USN package specs as binary
packages), is dovecot-core. Apt's (simple) dependency solver figures it can
upgrade that, but in doing so it breaks dovecot-imapd and dovecot-pop3d which
need removing as a consequence. The workaround is to specify all 3 packages:
$ sudo apt-get install --dry-run dovecot-core=1:2.2.22-1ubuntu2.7 \
dovecot-imapd=1:2.2.22-1ubuntu2.7 \
dovecot-pop3d=1:2.2.22-1ubuntu2.7
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
ntp dovecot-gssapi dovecot-sieve dovecot-pgsql dovecot-mysql dovecot-sqlite
dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-solr
The following packages will be upgraded:
dovecot-core dovecot-imapd dovecot-pop3d
3 upgraded, 0 newly installed, 0 to remove and 171 not upgraded.
Inst dovecot-pop3d [1:2.2.22-1ubuntu2] (1:2.2.22-1ubuntu2.7
Ubuntu:16.04/xenial-security [amd64]) []
Inst dovecot-imapd [1:2.2.22-1ubuntu2] (1:2.2.22-1ubuntu2.7
Ubuntu:16.04/xenial-security [amd64]) []
Inst dovecot-core [1:2.2.22-1ubuntu2] (1:2.2.22-1ubuntu2.7
Ubuntu:16.04/xenial-security [amd64])
Conf dovecot-core (1:2.2.22-1ubuntu2.7 Ubuntu:16.04/xenial-security [amd64])
Conf dovecot-pop3d (1:2.2.22-1ubuntu2.7 Ubuntu:16.04/xenial-security [amd64])
Conf dovecot-imapd (1:2.2.22-1ubuntu2.7 Ubuntu:16.04/xenial-security [amd64])
[1] https://usn.ubuntu.com/3587-1/
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1788486
Title:
apt behaviour when package with strict dependencies rules and version
-gt in -updates than -security.
Status in apt package in Ubuntu:
Won't Fix
Status in landscape-client package in Ubuntu:
Won't Fix
Status in apt source package in Xenial:
Won't Fix
Status in landscape-client source package in Xenial:
Won't Fix
Status in apt source package in Bionic:
Won't Fix
Status in landscape-client source package in Bionic:
Won't Fix
Bug description:
[Impact]
We notice that situation while investigating a security update using
Landscape, but it also applies to 'apt' outside the Landscape context.
'apt' should be smarter to detect/install packages with strict
dependencies such as systemd[1] when a version is specified for
upgrade (Ex: $ apt-get install systemd=229-4ubuntu-21.1).
It should automatically install the dependencies (if any) from that
same version as well instead of failing trying to install the highest
version available (if any) while installing the specified version for
the one mentionned :
$ apt-get install systemd=229-4ubuntu-21.1
"systemd : Depends: libsystemd0 (= 229-4ubuntu21.1) but 229-4ubuntu21.4 is to
be installed"
=
To face that problem :
- Package with lower version should be found in -security ( Ex:
systemd/229-4ubuntu21.1 )
- Package with higher version should be found in -updates ( Ex:
systemd/229-4ubuntu21.4 )
- Package should have strict dependencies ( Ex: libsystemd0 (=
${binary:Version}) )
- The upgrade should only specify version for the package, without it's
dependencies. (Ex: $ apt-get install systemd=229-4ubuntu-21.1" #systemd without
libsystemd0 depends)
Using systemd is a good reproducer, I'm sure finding other package
with the same situation is easy.
It has been easily reproduced with systemd on Xenial and Bionic so
far.
[1]
[Touch-packages] [Bug 1788486] Re: apt behaviour when package with strict dependencies rules and version -gt in -updates than -security.
Thanks for the clarification Julian.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1788486
Title:
apt behaviour when package with strict dependencies rules and version
-gt in -updates than -security.
Status in apt package in Ubuntu:
Won't Fix
Status in landscape-client package in Ubuntu:
Won't Fix
Status in apt source package in Xenial:
Won't Fix
Status in landscape-client source package in Xenial:
Won't Fix
Status in apt source package in Bionic:
Won't Fix
Status in landscape-client source package in Bionic:
Won't Fix
Bug description:
[Impact]
We notice that situation while investigating a security update using
Landscape, but it also applies to 'apt' outside the Landscape context.
'apt' should be smarter to detect/install packages with strict
dependencies such as systemd[1] when a version is specified for
upgrade (Ex: $ apt-get install systemd=229-4ubuntu-21.1).
It should automatically install the dependencies (if any) from that
same version as well instead of failing trying to install the highest
version available (if any) while installing the specified version for
the one mentionned :
$ apt-get install systemd=229-4ubuntu-21.1
"systemd : Depends: libsystemd0 (= 229-4ubuntu21.1) but 229-4ubuntu21.4 is to
be installed"
=
To face that problem :
- Package with lower version should be found in -security ( Ex:
systemd/229-4ubuntu21.1 )
- Package with higher version should be found in -updates ( Ex:
systemd/229-4ubuntu21.4 )
- Package should have strict dependencies ( Ex: libsystemd0 (=
${binary:Version}) )
- The upgrade should only specify version for the package, without it's
dependencies. (Ex: $ apt-get install systemd=229-4ubuntu-21.1" #systemd without
libsystemd0 depends)
Using systemd is a good reproducer, I'm sure finding other package
with the same situation is easy.
It has been easily reproduced with systemd on Xenial and Bionic so
far.
[1] debian/control
Depends: ${shlibs:Depends},
${misc:Depends},
libsystemd0 (= ${binary:Version}),
...
[Workaround]
If package + dependencies are specified, the upgrade work just fine :
Ex: $ apt-get install systemd=229-4ubuntu-21.1
libsystemd0=229-4ubuntu-21.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1788486/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1788486] Re: apt behaviour when package with strict dependencies rules and version -gt in -updates than -security.
Again: The security notice is about source packages, not binary
packages. libsystemd0 and systemd are both part of the systemd source
package, so obviously both need to be upgraded if installed.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1788486
Title:
apt behaviour when package with strict dependencies rules and version
-gt in -updates than -security.
Status in apt package in Ubuntu:
Won't Fix
Status in landscape-client package in Ubuntu:
Won't Fix
Status in apt source package in Xenial:
Won't Fix
Status in landscape-client source package in Xenial:
Won't Fix
Status in apt source package in Bionic:
Won't Fix
Status in landscape-client source package in Bionic:
Won't Fix
Bug description:
[Impact]
We notice that situation while investigating a security update using
Landscape, but it also applies to 'apt' outside the Landscape context.
'apt' should be smarter to detect/install packages with strict
dependencies such as systemd[1] when a version is specified for
upgrade (Ex: $ apt-get install systemd=229-4ubuntu-21.1).
It should automatically install the dependencies (if any) from that
same version as well instead of failing trying to install the highest
version available (if any) while installing the specified version for
the one mentionned :
$ apt-get install systemd=229-4ubuntu-21.1
"systemd : Depends: libsystemd0 (= 229-4ubuntu21.1) but 229-4ubuntu21.4 is to
be installed"
=
To face that problem :
- Package with lower version should be found in -security ( Ex:
systemd/229-4ubuntu21.1 )
- Package with higher version should be found in -updates ( Ex:
systemd/229-4ubuntu21.4 )
- Package should have strict dependencies ( Ex: libsystemd0 (=
${binary:Version}) )
- The upgrade should only specify version for the package, without it's
dependencies. (Ex: $ apt-get install systemd=229-4ubuntu-21.1" #systemd without
libsystemd0 depends)
Using systemd is a good reproducer, I'm sure finding other package
with the same situation is easy.
It has been easily reproduced with systemd on Xenial and Bionic so
far.
[1] debian/control
Depends: ${shlibs:Depends},
${misc:Depends},
libsystemd0 (= ${binary:Version}),
...
[Workaround]
If package + dependencies are specified, the upgrade work just fine :
Ex: $ apt-get install systemd=229-4ubuntu-21.1
libsystemd0=229-4ubuntu-21.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1788486/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
