Ubuntu
apt package

apt cannot upgrade phased updates if the current security version is same as updates

Bug #2051181 reported by Andy Chi
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Status tracked in Noble
Jammy
Fix Released
Undecided
Unassigned
Mantic
Fix Released
Undecided
Unassigned
Noble
Fix Released
Critical
Julian Andres Klode

Bug Description

[Impact]
A package that has the same version in -security and -updates, with the latter having a Phased-Update-Percentage set is subject to phasing which is not expected by the security team.

[Test plan]
An automatic test case has been added to apt's comprehensive integration test suite that simulates the problem. Passing of the autopkgtests is a successful test.

[Where problems could occur]
The fix in question changes the behavior, some people may have relied on that, but also this should not have happened server side (normally security updates do not receive a value but the real one in this case went a different route).

Otherwise the fix is fairly contained, it removes a single OtherVer++ increment which made it go one version below the current version, so we do not expect any problems; setting aside the usual regression potential from bugs in the compiler and so on.

[Original bug report]
When I finished installation with Jammy 22.04.3, I noticed that nvidia-driver-535 cannot be upgrade by either `apt upgrade` nor `apt dist-upgrade`.

Below is the log of apt upgrade:
ubuntu@ubuntu:~$ sudo apt -o Debug::pkgProblemResolver=1 upgrade --dry-run [2/1878]
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Entering ResolveByKeep 10%
  Dependencies are not satisfied for nvidia-driver-535:amd64 < 535.129.03-0ubuntu0.22.04.1 | 535.154.05-0ubuntu0.22.04.1 @ii pumH NPb Ib >
Package nvidia-driver-535:amd64 nvidia-driver-535:amd64 Depends on nvidia-dkms-535:amd64 < none | 535.154.05-0ubuntu0.22.04.1 @un umH > (<= 535.129.03-1)
  Keeping Package linux-modules-nvidia-535-oem-22.04c:amd64 due to Depends
  Dependencies are not satisfied for linux-modules-nvidia-535-oem-22.04c:amd64 < 6.1.0-1027.27 | 6.1.0-1028.28+2 @ii umH Ib >
Keeping package linux-modules-nvidia-535-oem-22.04c:amd64
  Dependencies are not satisfied for linux-modules-nvidia-535-oem-22.04c:amd64 < 6.1.0-1027.27 | 6.1.0-1028.28+2 @ii umH Ib >
Package linux-modules-nvidia-535-oem-22.04c:amd64 linux-modules-nvidia-535-oem-22.04c:amd64 Depends on linux-modules-nvidia-535-6.1.0-1027-oem:amd64 < 6.1.0-1027.27 -> 6.1.0-1027.27+1 @ii umU Ib > (= 6.1.0-1027.27)
  Keeping Package linux-modules-nvidia-535-6.1.0-1027-oem:amd64 due to Depends
  Dependencies are not satisfied for linux-modules-nvidia-535-6.1.0-1028-oem:amd64 < none -> 6.1.0-1028.28+2 @un uN Ib >
Keeping package linux-modules-nvidia-535-6.1.0-1028-oem:amd64
  Dependencies are not satisfied for linux-modules-nvidia-535-6.1.0-1027-oem:amd64 < 6.1.0-1027.27 | 6.1.0-1027.27+1 @ii umH Ib >
Keeping package linux-modules-nvidia-535-6.1.0-1027-oem:amd64
  Dependencies are not satisfied for linux-modules-nvidia-535-6.1.0-1027-oem:amd64 < 6.1.0-1027.27 | 6.1.0-1027.27+1 @ii umH Ib >
Package linux-modules-nvidia-535-6.1.0-1027-oem:amd64 linux-modules-nvidia-535-6.1.0-1027-oem:amd64 Depends on linux-signatures-nvidia-6.1.0-1027-oem:amd64 < 6.1.0-1027.27 -> 6.1.0-1027.27+1 @ii umU > (= 6.1.0-1027.27)
  Keeping Package linux-signatures-nvidia-6.1.0-1027-oem:amd64 due to Depends
  Dependencies are not satisfied for linux-modules-nvidia-535-6.1.0-1027-oem:amd64 < 6.1.0-1027.27 | 6.1.0-1027.27+1 @ii umH Ib >
  Dependencies are not satisfied for linux-modules-nvidia-535-6.1.0-1027-oem:amd64 < 6.1.0-1027.27 | 6.1.0-1027.27+1 @ii umH Ib >
  Dependencies are not satisfied for linux-modules-nvidia-535-6.1.0-1027-oem:amd64 < 6.1.0-1027.27 | 6.1.0-1027.27+1 @ii umH Ib >
Package linux-modules-nvidia-535-6.1.0-1027-oem:amd64 linux-modules-nvidia-535-6.1.0-1027-oem:amd64 Depends on linux-objects-nvidia-535-6.1.0-1027-oem:amd64 < 6.1.0-1027.27 -> 6.1.0-1027.27+1 @ii umU > (= 6.1.0-1027.27)
  Keeping Package linux-objects-nvidia-535-6.1.0-1027-oem:amd64 due to Depends

https://pastebin.canonical.com/p/7frwTKZG6D/

See original description
Julian Andres Klode (juliank)
tags: added: foundations-todo
Changed in apt (Ubuntu):
importance: Undecided → Critical
assignee: nobody → Julian Andres Klode (juliank)
status: New → In Progress
status: In Progress → Triaged
Revision history for this message
Julian Andres Klode (juliank) wrote :

Fixed in apt git.

summary: - apt cannot upgrade packages if the current security version is same as
- updates
+ apt cannot upgrade phased updates if the current security version is
+ same as updates
description: updated
Changed in apt (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Julian Andres Klode (juliank) wrote :

See https://salsa.debian.org/apt-team/apt/-/commit/26e0e9b76fb06afe5250eeb8e5b3d069d4793432 for the fix

Changed in apt (Ubuntu Mantic):
status: New → Triaged
Changed in apt (Ubuntu Jammy):
status: New → Triaged
Revision history for this message
Julian Andres Klode (juliank) wrote :

Also cherry-picked to the ubuntu/mantic and 2.4.y branches for mantic and jammy.

Revision history for this message
Julian Andres Klode (juliank) wrote :

SRUs uploaded. Setting to Fix committed for internal tooling tracking needs (I understand normally SRUs should be In Progress, but then the tool reopens the task...)

Changed in apt (Ubuntu Mantic):
status: Triaged → Fix Committed
Changed in apt (Ubuntu Jammy):
status: Triaged → Fix Committed
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Andy, or anyone else affected,

Accepted apt into mantic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.7.3ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-mantic to verification-done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-mantic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-mantic
tags: added: verification-needed-jammy
Revision history for this message
Robie Basak (racb) wrote :

Hello Andy, or anyone else affected,

Accepted apt into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.4.12 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (apt/2.4.12)

All autopkgtests for the newly accepted apt (2.4.12) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

livecd-rootfs/2.765.38 (amd64, arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (apt/2.7.3ubuntu0.1)

All autopkgtests for the newly accepted apt (2.7.3ubuntu0.1) for mantic have finished running.
The following regressions have been reported in tests triggered by the package:

apport/2.27.0-0ubuntu5 (amd64)
apt/2.7.3ubuntu0.1 (armhf)
auto-apt-proxy/14.1 (arm64)
livecd-rootfs/23.10.57 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/mantic/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 2.7.11

---------------
apt (2.7.11) unstable; urgency=medium

  [ David Kalnischkies ]
  * Remove erroneous -a flag from apt-get synopsis in manpage
  * Support -a for setting host architecture in apt-get source -b

  [ Julian Andres Klode ]
  * For phasing, check if current version is a security update, not just previous ones
    (LP: #2051181)
  * Add public phased update API
  * Add a new ?phasing pattern
  * Add the ?security pattern
  * Show a separate list of upgrades deferred due to phasing (LP: #1988819)

 -- Julian Andres Klode <email address hidden> Tue, 13 Feb 2024 16:31:00 +0100

Changed in apt (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Julian Andres Klode (juliank) wrote :

The regressions on mantic have cleared up and the tests of apt have passed so this is verified there.

Still clearing out a regression from update-manager:i386 on jammy-

tags: added: verification-done-mantic
removed: verification-needed-mantic
Revision history for this message
Julian Andres Klode (juliank) wrote :

jammy is green too now

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 2.7.3ubuntu0.1

---------------
apt (2.7.3ubuntu0.1) mantic; urgency=medium

  * Restore ?garbage by calling MarkAndSweep before parsing (LP: #1995790)
  * For phasing, check if current version is a security update, not just previous ones
    (LP: #2051181)
  * Point gitlab-ci and gbp at mantic branch
  * CI: Do not require UID 1000 for our test user

 -- Julian Andres Klode <email address hidden> Tue, 13 Feb 2024 18:22:07 +0100

Changed in apt (Ubuntu Mantic):
status: Fix Committed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Update Released

The verification of the Stable Release Update for apt has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 2.4.12

---------------
apt (2.4.12) jammy; urgency=medium

  * Restore ?garbage by calling MarkAndSweep before parsing (LP: #1995790)
  * For phasing, check if current version is a security update, not just previous ones
    (LP: #2051181)

 -- Julian Andres Klode <email address hidden> Tue, 13 Feb 2024 16:39:04 +0100

Changed in apt (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.