[Aptitude-devel] Bug#787658: aptitude ignores available updates for a while after downgrades

Christoph Anton Mitterer calestyo at scientia.net
Wed Jun 3 20:48:25 UTC 2015 

Package: aptitude
Version: 0.6.11-1+b1
Severity: important
Tags: security


Hi.

The following behaviour at least for quite some time (at least several years I'd say)
already, but so far I've always been too lazy to report it.


Just before I've stumbled over #787653 so I tried which package upgrade could have
caused the troubles.
Normally I have just sid enabled in sources.list, so I've uncommented testing,
started downgrading a few packages, tried whether evolution starts again... the usual
game so to say.


Now the problem from aptitude side is, that after the packages have been downgraded
(in the example above the curl/libcurl packages) it doesn't offer them for upgrade
anymore, even though unstable is still enabled in sources.list and the newer packages
are still available.


apt however, still identifies the newer one correctly as candidate version:

# apt-cache policy curl
curl:
  Installed: 7.42.1-2
  Candidate: 7.42.1-2+b1
  Version table:
     7.42.1-2+b1 0
        500 http://ftp.de.debian.org/debian/ unstable/main amd64 Packages
 *** 7.42.1-2 0
        500 http://ftp.de.debian.org/debian/ testing/main amd64 Packages
        100 /var/lib/dpkg/status

and it would also update it:
# apt-get upgrade --dry-run
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... The following packages were automatically installed and are no longer required:
<snip snap>
Use 'apt-get autoremove' to remove them.
Done
The following packages will be upgraded:
  curl <snip snap>
  <snip snap> libcurl3 libcurl3-gnutls <snip snap>
  <snip snap>


aptitude however doesn't,... it's not listed in the "Upgradable Packages"
and when pressing "+" on the respective package (which does show both version)
it doesn't select the correct candidate version (it does though when I press "+"
directly on the version).


Neither "Update package list", nor "Clean package cache" or "Clean obsolete files"
resolves this situation.
But at least this time (I haven't tried that before), "Cancel pending actions" plus
restarting solved the issue, and the packages re-appeared for upgrade.

So far (as said, I haven't tried the above before), the situation usually resolved
by itself after a while (I susupect it did when really new Package lists came in
from the repo).


I think I have seen the whole issue even when packages where downgraded, but when
I had already commented/disabled the "lower" repo (e.g. test) again.


Last but not least, since this may be "used" to accidentally hide security upgrades,
I selected important as severity. I'd guess a higher severity is not needed, since
downgrades typically don't happen automatically, so the admin has at least a clue
that he runs on an older version.




Cheers,
Chris.

More information about the Aptitude-devel mailing list