update-notifier notifies of phased-updates for which you may not be eligible

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

Righto, Seth. Thanks. Apologies for the alarm.

I see how the distinction between whether it *is* a secuirty vulnerability or *might be* one may be important from your point of view. The distinction in less marked for a user in no position to be able to discern the difference, or indeed tell if one that *might be* actually *is*.

Look at it like this: if a user came to you and said, my update notifier says there are 14 updates and yet the Updater says there are 9 - can I go ahead and use the updater without fear than an attacker might find an avenue in this difference to slip in some malicious software? Would you be in a position to say, 'Go ahead: everything's fine'?

This is because update-manager is not offering to install updates that are not completely phased, see further (http://www.murraytwins.com/blog/?p=127), but update-notifier does not take into consideration updates that are currently undergoing phasing.

I don't know about the new summary Brian has put on this bug: "update-notifier notifies of phased-updates for which you may not be eligible". But I do know that the original summary I put on it was perfectly comprehensible and that it has now been changed into something almost illegible ;)

This is a user problem. It is not a technical problem. That is, though it may require a technical fix, the bug can only be understood when seen from a user's perspective.

It may well be that the update notifier is telling me about "phased updates for which I am not eligible". But it is a nonsense, from my perspective. (Sincere thanks, however, Brian for the background info). You see, I doubt even that the bug is a bug as error as Brian has described it. But I am certain it is a bug as I have described it. And the same will be true of other users. The bug is more likely to be recognisable and useful with its original summary.

So for example, the update notifier tells me today there are 29 updates available. But the Software Updater tells me there are just 8.

I will therefore be changing the summary back to its original, user's perspective.

This also still looks like a security vulnerability from that perspective. And that counts for quite a lot at the end of the day, how much confidence a user has in his system.

I just installed those 29 updates, by the way. And then my system does a popup that says: "there are 20 updates available". So here I am with this new update message, and I think either my system didn't check the last lot of updates properly. Or it's got another bunch of updates it could only do after it had done the first lot.

So you go back to the Software Updater again and, like Laurel and Hardy's car mechanic, you click on the update notifier, and it does indeed say there are 20 updates to install. So you click on 'update' a little reluctantly. And, yes it says there are no updates to install! And it sits there the update notifier icon, and you can click on it any time you like, and it will pop up saying, 'there are 20 updates to install', even though there are not.

(It does in fact look like the new 20 might be the updates left from the 29 updates before: it could install only 8 of those, remember. So it installed the eight updates the Software Updater recognised and that leaves twenty... er... one. Twenty one. Okay we seem to have lost an update somwhere. We are still sure this is not a security vulnerability aren't we? Someone must be sure it's not a security vulnerability. Because it looks to me that when I just gave my Software Updater permission to install 8 updates it installed 9).

I modified the title in a way such that it is usable and understandable to me as a developer (and for other developers) when it comes to actually fixing the bug. Additionally, the quantity of updates will always change and having a dynamic number in the bug title probably won't help people find this bug as they may be notified of 26 updates but then only see 23 in update-manager.

Update-manager pops up saying that there's no updates available but apt-get upgrade say otherwise.

I have similar case, previously I locked "synaptic" to an older version, when I run update-manager, it prompts 2.4 mb of update available but not lists it in gui.

@Josué - that is because update-manager will decide whether or not to install phased updates but apt-get does not. Subsequently, apt-get will always return more packages than update-manager.

Another consequence of update-notifier not being aware of phased updates is that update-manager may auto-launch telling you your system is up to date.

This happens because update-notifier uses /usr/lib/update-notifier/apt-check to see whether or not there are updates available to install. However, apt-check does not take into consideration whether or not an update is phased. Then if update-notifier determines that updates are available and update-notifier's auto-launch (of update-manager) is set to true (the default), then update-manager will launch and inform you that your system is up to date.

One thing to take into consideration when fixing this is that apt-check is also used by update-motd-updates-available which is used on servers to display how many updates are available.

This bug was fixed in the package update-notifier - 0.147

---------------
update-notifier (0.147) saucy; urgency=low

  * apt-check: port to python3, if it is available use update-manager's
    UpdateList to determine if we will install an update being phased
    (LP: #1223321)
 -- Brian Murray <email address hidden> Wed, 09 Oct 2013 13:32:47 -0700

can you fix this bug for raring ?