Public bug reported:
unattended-upgrade ignores apt-pinning to not-allowed origins
=============================================================
BUG:
unattended-upgrade completely ignores NOT ALLOWED ORIGINS
even if they contain apt-pinned versions
that are more favorable than versions from allowed origins.
SOLUTION:
unattended-upgrade should not ignore NOT ALLOWED ORIGINS,
but check them for providing more favorable version
and in such case restrain from doing ANY upgrades for such packages.
Instructions for ubuntu lunar 23.04:
------------------------------------
0. Upgrade all packages, uninstall Firefox:
$ sudo apt update
$ sudo apt upgrade
$ sudo snap remove firefox
$ sudo apt remove firefox
$ apt-cache policy firefox
firefox:
Installed: (none)
Candidate: 1:1snap1-0ubuntu3
Version table:
1:1snap1-0ubuntu3 500
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
1. Add mozilla-team Firefox PPA and apt-pin it with priority 1001:
$ echo 'deb https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu
lunar main' | sudo tee /etc/apt/sources.list.d/firefox.list
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys
9BDB3D89CE49EC21
$ echo -e 'Package: *\nPin: release o=LP-PPA-mozillateam\nPin-
Priority: 1001' | sudo tee /etc/apt/preferences.d/firefox
$ sudo apt update
$ apt-cache policy firefox
firefox:
Installed: (none)
Candidate: 117.0+build2-0ubuntu0.23.04.1~mt1
Version table:
1:1snap1-0ubuntu3 500
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
117.0+build2-0ubuntu0.23.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu
lunar/main arm64 Packages
2. Install Firefox (from mozilla-team Firefox PPA, as pinned):
$ sudo apt install firefox
$ apt-cache policy firefox
firefox:
Installed: 117.0+build2-0ubuntu0.23.04.1~mt1
Candidate: 117.0+build2-0ubuntu0.23.04.1~mt1
Version table:
1:1snap1-0ubuntu3 500
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
*** 117.0+build2-0ubuntu0.23.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu
lunar/main arm64 Packages
100 /var/lib/dpkg/status
3. SIMULATE AVAILABLE UPGRADE by downgrading Firefox from Mozilla-Team's
version for Ubuntu 23.04 to 22.04:
Download .deb. file from Mozilla-Team's PPA:
$ wget $(apt-get download --print-uris firefox | cut -d' ' -f1 | tr
-d "'" | sed 's/0ubuntu0\.[0-9][0-9]\.[0-9][0-9]\./0ubuntu0.22.04./')
Install it:
$ sudo dpkg -i firefox_*.22.04.*.deb
dpkg: warning: downgrading firefox from 117.0+build2-0ubuntu0.23.04.1~mt1
to 117.0+build2-0ubuntu0.22.04.1~mt1
(Reading database ... 295244 files and directories currently installed.)
Preparing to unpack firefox_117.0+build2-0ubuntu0.22.04.1~mt1_arm64.deb ...
Unpacking firefox (117.0+build2-0ubuntu0.22.04.1~mt1) over
(117.0+build2-0ubuntu0.23.04.1~mt1) ...
Setting up firefox (117.0+build2-0ubuntu0.22.04.1~mt1) ...
Please restart all running instances of firefox, or you will experience
problems.
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for man-db (2.11.2-1) ...
$ apt-cache policy firefox
firefox:
Installed: 117.0+build2-0ubuntu0.22.04.1~mt1
Candidate: 117.0+build2-0ubuntu0.23.04.1~mt1
Version table:
1:1snap1-0ubuntu3 500
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
117.0+build2-0ubuntu0.23.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu
lunar/main arm64 Packages
*** 117.0+build2-0ubuntu0.22.04.1~mt1 100
100 /var/lib/dpkg/status
4. Bug in unattended-upgrade:
Firefox is now at priority 100 ("now").
Firefox snap package is at priority 500.
Mozilla-Team PPA has priority 1001, BUT IS NOT IN UNATTENDED-UPGRADE'S "ALLOWED
ORIGINS".
BUG: unattended-upgrade upgrades Firefox package to 1:1snap1-0ubuntu3:
$ sudo unattended-upgrade -v
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=lunar, o=Ubuntu,a=lunar-security,
o=UbuntuESMApps,a=lunar-apps-security, o=UbuntuESM,a=lunar-infra-security
Initial blacklist:
Initial whitelist (not strict):
Packages that will be upgraded: firefox
Writing dpkg log to
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log
Preconfiguring packages ...
Preconfiguring packages ...
(Reading database ... 295244 files and directories currently installed.)
Preparing to unpack .../firefox_1%3a1snap1-0ubuntu3_arm64.deb ...
=> Installing the firefox snap
==> Checking connectivity with the snap store
==> Installing the firefox snap
snap "firefox" is already installed, see 'snap help refresh'
=> Snap installation complete
Unpacking firefox (1:1snap1-0ubuntu3) over
(117.0+build2-0ubuntu0.22.04.1~mt1) ...
dpkg: warning: unable to delete old directory '/etc/firefox': Directory not
empty
dpkg: warning: unable to delete old directory '/etc/apport/blacklist.d':
Directory not empty
Setting up firefox (1:1snap1-0ubuntu3) ...
Removing obsolete conffile /etc/firefox/syspref.js ...
Processing triggers for man-db (2.11.2-1) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
All upgrades installed
5. Conclusion:
unattended-upgrade should not ignore NOT ALLOWED ORIGINS,
but check them for providing more favorable version
and in such case restrain from doing ANY upgrades for such packages.
WORKAROUND
----------
1. Go back to mozilla-team's 22.04 deb:
$ sudo dpkg -i firefox_*.22.04.*.deb
$ sudo snap remove firefox
2. Pin Ubuntu's official version to 1:
$ echo -e 'Package: firefox\nPin: release o=Ubuntu\nPin-Priority: 1'
| sudo tee /etc/apt/preferences.d/firefox-workaround
$ apt-cache policy firefox
firefox:
Installed: 117.0+build2-0ubuntu0.22.04.1~mt1
Candidate: 117.0+build2-0ubuntu0.23.04.1~mt1
Version table:
1:1snap1-0ubuntu3 1
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
117.0+build2-0ubuntu0.23.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu
lunar/main arm64 Packages
*** 117.0+build2-0ubuntu0.22.04.1~mt1 100
100 /var/lib/dpkg/status
3. Priority 1 < 100, so Firefox will NOT be upgraded to
1:1snap1-0ubuntu3
$ sudo unattended-upgrade -v
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=lunar, o=Ubuntu,a=lunar-security,
o=UbuntuESMApps,a=lunar-apps-security, o=UbuntuESM,a=lunar-infra-security
Initial blacklist:
Initial whitelist (not strict):
MarkUpgrade() called on a non-upgradeable pkg: 'firefox'
No packages found that can be upgraded unattended and no pending
auto-removals
4. apt will upgrade Firefox to the latest Mozilla-Team version:
$ sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# You can verify the status of security fixes using the `pro fix` command.
# E.g., a recent Ruby vulnerability can be checked with: `pro fix
USN-6219-1`
# For more detail see: https://ubuntu.com/security/notices/USN-6219-1
#
The following packages will be upgraded:
firefox
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 59.3 MB of archives.
After this operation, 751 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu lunar/main
arm64 firefox arm64 117.0+build2-0ubuntu0.23.04.1~mt1 [59.3 MB]
Fetched 5171 kB in 0s (14.0 MB/s)
(Reading database ... 295244 files and directories currently installed.)
Preparing to unpack .../firefox_117.0+build2-0ubuntu0.23.04.1~mt1_arm64.deb
...
Unpacking firefox (117.0+build2-0ubuntu0.23.04.1~mt1) over
(117.0+build2-0ubuntu0.22.04.1~mt1) ...
Setting up firefox (117.0+build2-0ubuntu0.23.04.1~mt1) ...
Please restart all running instances of firefox, or you will experience
problems.
Processing triggers for man-db (2.11.2-1) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
** Affects: unattended-upgrades (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/2033646
Title:
unattended-upgrade ignores apt-pinning to not-allowed origins
Status in unattended-upgrades package in Ubuntu:
New
Bug description:
unattended-upgrade ignores apt-pinning to not-allowed origins
=============================================================
BUG:
unattended-upgrade completely ignores NOT ALLOWED ORIGINS
even if they contain apt-pinned versions
that are more favorable than versions from allowed origins.
SOLUTION:
unattended-upgrade should not ignore NOT ALLOWED ORIGINS,
but check them for providing more favorable version
and in such case restrain from doing ANY upgrades for such packages.
Instructions for ubuntu lunar 23.04:
------------------------------------
0. Upgrade all packages, uninstall Firefox:
$ sudo apt update
$ sudo apt upgrade
$ sudo snap remove firefox
$ sudo apt remove firefox
$ apt-cache policy firefox
firefox:
Installed: (none)
Candidate: 1:1snap1-0ubuntu3
Version table:
1:1snap1-0ubuntu3 500
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
1. Add mozilla-team Firefox PPA and apt-pin it with priority 1001:
$ echo 'deb
https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu lunar main' |
sudo tee /etc/apt/sources.list.d/firefox.list
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys
9BDB3D89CE49EC21
$ echo -e 'Package: *\nPin: release o=LP-PPA-mozillateam\nPin-
Priority: 1001' | sudo tee /etc/apt/preferences.d/firefox
$ sudo apt update
$ apt-cache policy firefox
firefox:
Installed: (none)
Candidate: 117.0+build2-0ubuntu0.23.04.1~mt1
Version table:
1:1snap1-0ubuntu3 500
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
117.0+build2-0ubuntu0.23.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu
lunar/main arm64 Packages
2. Install Firefox (from mozilla-team Firefox PPA, as pinned):
$ sudo apt install firefox
$ apt-cache policy firefox
firefox:
Installed: 117.0+build2-0ubuntu0.23.04.1~mt1
Candidate: 117.0+build2-0ubuntu0.23.04.1~mt1
Version table:
1:1snap1-0ubuntu3 500
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
*** 117.0+build2-0ubuntu0.23.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu
lunar/main arm64 Packages
100 /var/lib/dpkg/status
3. SIMULATE AVAILABLE UPGRADE by downgrading Firefox from Mozilla-
Team's version for Ubuntu 23.04 to 22.04:
Download .deb. file from Mozilla-Team's PPA:
$ wget $(apt-get download --print-uris firefox | cut -d' ' -f1 |
tr -d "'" | sed
's/0ubuntu0\.[0-9][0-9]\.[0-9][0-9]\./0ubuntu0.22.04./')
Install it:
$ sudo dpkg -i firefox_*.22.04.*.deb
dpkg: warning: downgrading firefox from 117.0+build2-0ubuntu0.23.04.1~mt1
to 117.0+build2-0ubuntu0.22.04.1~mt1
(Reading database ... 295244 files and directories currently installed.)
Preparing to unpack firefox_117.0+build2-0ubuntu0.22.04.1~mt1_arm64.deb
...
Unpacking firefox (117.0+build2-0ubuntu0.22.04.1~mt1) over
(117.0+build2-0ubuntu0.23.04.1~mt1) ...
Setting up firefox (117.0+build2-0ubuntu0.22.04.1~mt1) ...
Please restart all running instances of firefox, or you will experience
problems.
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for man-db (2.11.2-1) ...
$ apt-cache policy firefox
firefox:
Installed: 117.0+build2-0ubuntu0.22.04.1~mt1
Candidate: 117.0+build2-0ubuntu0.23.04.1~mt1
Version table:
1:1snap1-0ubuntu3 500
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
117.0+build2-0ubuntu0.23.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu
lunar/main arm64 Packages
*** 117.0+build2-0ubuntu0.22.04.1~mt1 100
100 /var/lib/dpkg/status
4. Bug in unattended-upgrade:
Firefox is now at priority 100 ("now").
Firefox snap package is at priority 500.
Mozilla-Team PPA has priority 1001, BUT IS NOT IN UNATTENDED-UPGRADE'S
"ALLOWED ORIGINS".
BUG: unattended-upgrade upgrades Firefox package to 1:1snap1-0ubuntu3:
$ sudo unattended-upgrade -v
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=lunar, o=Ubuntu,a=lunar-security,
o=UbuntuESMApps,a=lunar-apps-security, o=UbuntuESM,a=lunar-infra-security
Initial blacklist:
Initial whitelist (not strict):
Packages that will be upgraded: firefox
Writing dpkg log to
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log
Preconfiguring packages ...
Preconfiguring packages ...
(Reading database ... 295244 files and directories currently installed.)
Preparing to unpack .../firefox_1%3a1snap1-0ubuntu3_arm64.deb ...
=> Installing the firefox snap
==> Checking connectivity with the snap store
==> Installing the firefox snap
snap "firefox" is already installed, see 'snap help refresh'
=> Snap installation complete
Unpacking firefox (1:1snap1-0ubuntu3) over
(117.0+build2-0ubuntu0.22.04.1~mt1) ...
dpkg: warning: unable to delete old directory '/etc/firefox': Directory
not empty
dpkg: warning: unable to delete old directory '/etc/apport/blacklist.d':
Directory not empty
Setting up firefox (1:1snap1-0ubuntu3) ...
Removing obsolete conffile /etc/firefox/syspref.js ...
Processing triggers for man-db (2.11.2-1) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
All upgrades installed
5. Conclusion:
unattended-upgrade should not ignore NOT ALLOWED ORIGINS,
but check them for providing more favorable version
and in such case restrain from doing ANY upgrades for such packages.
WORKAROUND
----------
1. Go back to mozilla-team's 22.04 deb:
$ sudo dpkg -i firefox_*.22.04.*.deb
$ sudo snap remove firefox
2. Pin Ubuntu's official version to 1:
$ echo -e 'Package: firefox\nPin: release o=Ubuntu\nPin-Priority:
1' | sudo tee /etc/apt/preferences.d/firefox-workaround
$ apt-cache policy firefox
firefox:
Installed: 117.0+build2-0ubuntu0.22.04.1~mt1
Candidate: 117.0+build2-0ubuntu0.23.04.1~mt1
Version table:
1:1snap1-0ubuntu3 1
500 http://pl.archive.ubuntu.com/ubuntu lunar/main arm64 Packages
117.0+build2-0ubuntu0.23.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu
lunar/main arm64 Packages
*** 117.0+build2-0ubuntu0.22.04.1~mt1 100
100 /var/lib/dpkg/status
3. Priority 1 < 100, so Firefox will NOT be upgraded to
1:1snap1-0ubuntu3
$ sudo unattended-upgrade -v
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=lunar, o=Ubuntu,a=lunar-security,
o=UbuntuESMApps,a=lunar-apps-security, o=UbuntuESM,a=lunar-infra-security
Initial blacklist:
Initial whitelist (not strict):
MarkUpgrade() called on a non-upgradeable pkg: 'firefox'
No packages found that can be upgraded unattended and no pending
auto-removals
4. apt will upgrade Firefox to the latest Mozilla-Team version:
$ sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# You can verify the status of security fixes using the `pro fix` command.
# E.g., a recent Ruby vulnerability can be checked with: `pro fix
USN-6219-1`
# For more detail see: https://ubuntu.com/security/notices/USN-6219-1
#
The following packages will be upgraded:
firefox
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 59.3 MB of archives.
After this operation, 751 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu lunar/main
arm64 firefox arm64 117.0+build2-0ubuntu0.23.04.1~mt1 [59.3 MB]
Fetched 5171 kB in 0s (14.0 MB/s)
(Reading database ... 295244 files and directories currently installed.)
Preparing to unpack
.../firefox_117.0+build2-0ubuntu0.23.04.1~mt1_arm64.deb ...
Unpacking firefox (117.0+build2-0ubuntu0.23.04.1~mt1) over
(117.0+build2-0ubuntu0.22.04.1~mt1) ...
Setting up firefox (117.0+build2-0ubuntu0.23.04.1~mt1) ...
Please restart all running instances of firefox, or you will experience
problems.
Processing triggers for man-db (2.11.2-1) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu5) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1.1ubuntu1) ...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/2033646/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
