/usr/bin/unattended-upgrade:UnboundLocalError:/usr/bin/unattended-upgrade@1991:main:do_auto_remove

This bug was fixed in the package unattended-upgrades - 1.5ubuntu3

---------------
unattended-upgrades (1.5ubuntu3) cosmic; urgency=medium

  * Skip already adjusted packages from being checked for readjusting.
    This makes it clearer that the recursion ends and can also be a bit quicker.
    (LP: #1790687)
  * Fix PEP 8 warnings.
    Also ignore "W503 line break before binary operator" because it will
    become the best practice.
  * Don't crash on missing dpkg log file (LP: #1795692)
  * do_auto_remove() is successful unless a commit() operation fails
    (LP: #1795696)
  * Check only dowloaded .deb files for conffile prompts (LP: #1796100)

 -- Balint Reczey <email address hidden> Sun, 07 Oct 2018 23:16:17 +0200

Imho this is a mild security issue. For instance, we have a number of managed clients that rely on unattended-upgrades to install security patches every day. This bugs prevents those daily updates to run and it has the potential to be overlooked in automated environments like ours.

Bionic desperately needs the the patch from https://github.com/mvo5/unattended-upgrades/commit/72cf879db2ccc21cb8f0885ce4d9cb82f70fedaf#diff-6c85bf717c6bff92cf4c9076f32c3f16L1529

@mk-uone This crash was reported only 2 times last month on errors.ubuntu.com thus while I agree that this is a bug, it is not hit very often and systems seem to recover run u-u fine next time and continue installing updates.

The overall effect seems to be installing security updates one day later in some rare cases.

The fix could certainly be backported, but there are other issues with bigger impact thus those have higher priority.

> The overall effect seems to be installing security updates one day later in some rare cases.

Are you sure about that?

root@lab:~# journalctl | grep -i unbound
[...]
Mar 01 06:33:17 lab apt.systemd.daily[4984]: UnboundLocalError: local variable 'res' referenced before assignment
Mar 02 06:17:17 lab apt.systemd.daily[15459]: UnboundLocalError: local variable 'res' referenced before assignment
Mar 03 06:37:37 lab apt.systemd.daily[25767]: UnboundLocalError: local variable 'res' referenced before assignment
Mar 04 06:42:43 lab apt.systemd.daily[3280]: UnboundLocalError: local variable 'res' referenced before assignment
Mar 05 06:46:11 lab apt.systemd.daily[16970]: UnboundLocalError: local variable 'res' referenced before assignment
Mar 06 06:13:43 lab apt.systemd.daily[30101]: UnboundLocalError: local variable 'res' referenced before assignment
Mar 07 06:08:17 lab apt.systemd.daily[10414]: UnboundLocalError: local variable 'res' referenced before assignment
Mar 08 06:25:43 lab apt.systemd.daily[23872]: UnboundLocalError: local variable 'res' referenced before assignment
Mar 09 06:34:18 lab apt.systemd.daily[4459]: UnboundLocalError: local variable 'res' referenced before assignment
Mar 10 06:02:57 lab apt.systemd.daily[15978]: UnboundLocalError: local variable 'res' referenced before assignment
Mar 11 06:36:01 lab apt.systemd.daily[29894]: UnboundLocalError: local variable 'res' referenced before assignment

@mk-uone No, but up to this point no one reported this bug re-occuring. Thank you for your additional info.
Could you please debug how u-u fails on you system by running u-u --verbose --debug while I prepare the backport?

Luckily I found an older machine I didn't fix manually today :)

[...]
check_conffile_prompt(/var/cache/apt/archives/gnupg2_2.2.4-1ubuntu1.2_all.deb)
found pkg: gnupg2
No conffiles in deb /var/cache/apt/archives/gnupg2_2.2.4-1ubuntu1.2_all.deb (There is no member named 'conffiles')
blacklist: []
whitelist: []
Removing unused kernel packages: linux-modules-4.15.0-36-generic linux-image-4.15.0-36-generic linux-headers-4.15.0-36-generic linux-modules-extra-4.15.0-36-generic linux-headers-4.15.0-36
Keeping 5 auto-removable package(s) because it would also remove the following packages which should be kept in this step: apt apt-transport-https apt-utils avahi-autoipd avahi-daemon avahi-utils bind9-host chromium-browser chromium-browser-l10n chromium-codecs-ffmpeg cups cups-bsd cups-client cups-common cups-core-drivers cups-daemon cups-ipp-utils cups-ppdc cups-server-common dnsutils file firefox firefox-locale-en gdm3 ghostscript ghostscript-x gir1.2-gdm-1.0 gir1.2-gnomebluetooth-1.0 gir1.2-gnomedesktop-3.0 gir1.2-javascriptcoregtk-4.0 gir1.2-polkit-1.0 gir1.2-webkit2-4.0 gnome-bluetooth gnome-desktop3-data gnupg-agent gnupg2 gvfs gvfs-backends gvfs-bin gvfs-common gvfs-daemons gvfs-fuse gvfs-libs initramfs-tools initramfs-tools-bin initramfs-tools-core krb5-locales libapt-inst2.0 libapt-pkg5.0 libarchive13 libavahi-client3 libavahi-common-data libavahi-common3 libavahi-core7 libavahi-glib1 libavahi-ui-gtk3-0 libbind9-160 libcaca0 libconfuse-common libconfuse2 libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 libcurl3-gnutls libdns-export1100 libdns1100 libexiv2-14 libfreerdp-client2-2 libfreerdp2-2 libgd3 libgdm1 libgnome-bluetooth13 libgnome-desktop-3-17 libgs9 libgs9-common libgssapi-krb5-2 libirs160 libisc-export169 libisc169 libisccc160 libisccfg160 libjavascriptcoregtk-4.0-18 libk5crypto3 libkrb5-3 libkrb5support0 libldb1 liblwres160 libmagic-mgc libmagic1 libnss-myhostname libnss-systemd libnss3 libpam-systemd libpolkit-agent-1-0 libpolkit-backend-1-0 libpolkit-gobject-1-0 libpoppler-glib8 libpoppler73 libraw16 libssl1.0.0 libssl1.1 libsystemd0 libtiff5 libu2f-udev libudev1 libvncclient1 libwavpack1 libwebkit2gtk-4.0-37 libwebkit2gtk-4.0-37-gtk2 libwinpr2-2 libzmq5 linux-firmware linux-generic linux-generic-hwe-16.04 linux-headers-4.15.0-46 linux-headers-4.15.0-46-generic linux-headers-generic linux-image-4.15.0-46-generic linux-image-generic linux-libc-dev linux-modules-4.15.0-46-generic linux-modules-extra-4.15.0-46-generic nplan openjdk-8-jdk openjdk-8-jdk-headless openjdk-8-jre openjdk-8-jre-headless openssl policykit-1 poppler-utils python-ldb python3-lxml snapd systemd systemd-sysv thunderbird thunderbird-gnome-support thunderbird-locale-en thunderbird-locale-en-us tzdata ubuntu-core-launcher udev
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrade", line 1998, in <module>
    sys.exit(main(options))
  File "/usr/bin/unattended-upgrade", line 1798, in main
    options.verbose or options.debug, options.dry_run)
  File "/usr/bin/unattended-upgrade", line 1495, in do_auto_remove
    if res:
UnboundLocalError: local variable 'res' referenced before assignment
Error in atexit._run_exitfuncs:
FileNotFoundError: ...

Yes, thanks!

The output of apt list --autoremovable would be useful as well.

My apt doesn't have that option (yet?)

Instead I used:

# apt-get --dry-run autoremove | grep ^Remv
Remv ccnet [6.1.5-1]
Remv libccnet0 [6.1.5-1]
Remv libseafile0 [6.1.8-1240~ubuntu16.04.1]
Remv libsearpc1 [3.0.8.3-138~ubuntu16.04.1]
Remv linux-headers-4.15.0-36-generic [4.15.0-36.39]
Remv linux-headers-4.15.0-36 [4.15.0-36.39]
Remv linux-modules-extra-4.15.0-36-generic [4.15.0-36.39]
Remv linux-image-4.15.0-36-generic [4.15.0-36.39]
Remv linux-modules-4.15.0-36-generic [4.15.0-36.39]
Remv python-searpc [3.0.8-1]

Hello errors.ubuntu.com, or anyone else affected,

Accepted unattended-upgrades into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verified with 1.1ubuntu1.18.04.10 on Bionic:

...
root@bb-uu-lp-1795696-verify:~# eatmydata apt install linux-image-unsigned-4.18.0-13-generic linux-image-unsigned-4.18.0-14-generic linux-image-unsigned-4.18.0-15-generic
...
root@bb-uu-lp-1795696-verify:~# apt-mark auto linux-image-unsigned-4.18.0-13-generic linux-image-unsigned-4.18.0-14-generic linux-image-unsigned-4.18.0-15-generic
linux-image-unsigned-4.18.0-13-generic set to automatically installed.
linux-image-unsigned-4.18.0-14-generic set to automatically installed.
linux-image-unsigned-4.18.0-15-generic set to automatically installed.
root@bb-uu-lp-1795696-verify:~# /etc/kernel/postinst.d/apt-auto-removal
root@bb-uu-lp-1795696-verify:~# apt autoremove
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  grub-common grub-gfxpayload-lists grub-pc grub-pc-bin grub2-common libfreetype6 linux-image-unsigned-4.18.0-13-generic linux-image-unsigned-4.18.0-14-generic
  linux-image-unsigned-4.18.0-15-generic linux-modules-4.18.0-13-generic linux-modules-4.18.0-14-generic linux-modules-4.18.0-15-generic os-prober
0 upgraded, 0 newly installed, 13 to remove and 7 not upgraded.
After this operation, 239 MB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.
root@bb-uu-lp-1795696-verify:~# vi /etc/apt/apt.conf.d/50unattended-upgrades
root@bb-uu-lp-1795696-verify:~# grep Minimal /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::MinimalSteps "false";
root@bb-uu-lp-1795696-verify:~# unattended-upgrade --dry-run --verbose
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic
Removing unused kernel packages: linux-modules-4.18.0-13-generic linux-modules-4.18.0-15-generic linux-modules-4.18.0-14-generic
Keeping 3 auto-removable package(s) because it would also remove the following packages which should be kept in this step: libntfs-3g88 linux-image-unsigned-4.18.0-13-generic linux-image-unsigned-4.18.0-14-generic linux-image-unsigned-4.18.0-15-generic ntfs-3g snapd
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrade", line 1998, in <module>
    sys.exit(main(options))
  File "/usr/bin/unattended-upgrade", line 1798, in main
    options.verbose or options.debug, options.dry_run)
  File "/usr/bin/unattended-upgrade", line 1495, in do_auto_remove
    if res:
UnboundLocalError: local variable 'res' referenced before assignment
oot@bb-uu-lp-1795696-verify:~# echo "deb http://archive.ubuntu.com/ubuntu/ bionic-proposed restricted main multiverse universe" > /etc/apt/sources.list.d/proposed.list
root@bb-uu-lp-1795696-verify:~# apt update -qq
33 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@bb-uu-lp-1795696-verify:~# apt install unattended-upgrades
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  grub-common grub-gfxpayload-lists grub-pc grub-pc-bin grub2-common libfreetype6 linux-image-unsigned-4.1...

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1.18.04.10

---------------
unattended-upgrades (1.1ubuntu1.18.04.10) bionic; urgency=medium

  * do_auto_remove() is successful unless a commit() operation fails
    (LP: #1795696)
  * Compare apt.package.Version objects and not the versions' string
    representation. (LP: #1820888)
    This prevented adjusting candidates when the strings sorted differently.
    Also extend tests to catch issue.
  * Fall back to adjusting more packages' candidates
    when a package from an allowed origin can't be marked to install/upgrade.
    (LP: #1821101)

 -- Balint Reczey <email address hidden> Mon, 25 Mar 2019 18:17:56 +0100

The verification of the Stable Release Update for unattended-upgrades has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Hello errors.ubuntu.com, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verified 1.1ubuntu1.18.04.7~16.04.3 on Xenial:

root@x-lp-1795696:~# apt-get autoremove
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  linux-image-unsigned-4.15.0-34-generic linux-modules-4.15.0-34-generic
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
After this operation, 74.5 MB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.
root@x-lp-1795696:~# dpkg -l unattended-upgrades | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===================-==========================-============-===========================================
ii unattended-upgrades 1.1ubuntu1.18.04.7~16.04.2 all automatic installation of security upgrades
root@x-lp-1795696:~# unattended-upgrade --dry-run
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrade", line 1998, in <module>
    sys.exit(main(options))
  File "/usr/bin/unattended-upgrade", line 1798, in main
    options.verbose or options.debug, options.dry_run)
  File "/usr/bin/unattended-upgrade", line 1495, in do_auto_remove
    if res:
UnboundLocalError: local variable 'res' referenced before assignment
...
root@x-lp-1795696:~# dpkg -l unattended-upgrades | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===================-==========================-============-===========================================
ii unattended-upgrades 1.1ubuntu1.18.04.7~16.04.3 all automatic installation of security upgrades
root@x-lp-1795696:~# unattended-upgrade --dry-run
root@x-lp-1795696:~# unattended-upgrade --dry-run --verbose
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
Removing unused kernel packages: linux-modules-4.15.0-34-generic
Keeping 1 auto-removable package(s) because it would also remove the following packages which should be kept in this step: linux-image-unsigned-4.15.0-34-generic
Packages that were successfully auto-removed:
Packages that are kept back:
No packages found that can be upgraded unattended and no pending auto-removals

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1.18.04.7~16.04.3

---------------
unattended-upgrades (1.1ubuntu1.18.04.7~16.04.3) xenial; urgency=medium

  * Detect changes to moved conffiles (LP: #1823872)
    - Add tests for checking conffile moves.
      Build depend on and use equivs to generate new test packages
    - Split() conffile data to set of names only once
    - Don't parse dpkg conffile db when there are no conffiles in the package
  * Detect unchanged moved conffiles.
    When a package moves a conffile properly without any change no conffile
    prompt needs to be shown thus the package can be upgraded unattended.
    (LP: #1823872)
  * Skip sending email when no package had to be installed, upgraded or removed
    (LP: #1821103) (Closes: #924554)
  * Make sure autoremovals don't start with a dirty cache and remove other
    packages (LP: #1824341)
  * Continue applying minimal sets when one set can't be marked for upgrade.
    Thanks to Anderson Luiz Alves for the patch, it needed minor modifications
    (LP: #1824341)
  * Stop raising NoAllowedOriginError when marking packages to upgrade/install
    fails (LP: #1824876)
  * Adjust only transitive dependencies in the fallback when a package from an
    allowed origin can't be marked to install/upgrade.
    This is a much lighter approach than marking every upgradable package
    because the full fallback was triggered on packages held back as well,
    using an excessive amount of CPU time.
    Also it crashed with packages not having any version in allowed origins.
    (LP: #1824804, #1824949)
  * Skip trying to upgrade held packages in call_adjusted() (LP: #1824804)
  * Follow all kinds of transitive dependencies when adjusting dependencies
  * Don't crash collecting transitive dependencies when package has no candidate
    (LP: #1825886)
  * Use mark_install_adjusted() in rewind_cache()
    The original cache had packages marked with adjustments thus rewinding
    should also do adjustments to reach the same state.
    Also not using mark_install_adjusted() crashes when apt raises error on
    held packages. (LP: #1826157)
    - test_rewind: Update test to check if adjustend rewinding took place
  * do_auto_remove() is successful unless a commit() operation fails
    (LP: #1795696)
  * Compare apt.package.Version objects and not the versions' string
    representation. (LP: #1820888)
    This prevented adjusting candidates when the strings sorted differently.
    Also extend tests to catch issue.
  * Fall back to adjusting more packages' candidates
    when a package from an allowed origin can't be marked to install/upgrade.
    (LP: #1821101)

 -- Balint Reczey <email address hidden> Mon, 29 Apr 2019 12:23:14 +0200