[Aptitude-devel] Bug#833482: Bug#833482: aptitude: doesn't detect obsolete candidate package (versions)

Fri Aug 5 21:49:07 UTC 2016

Control: severity -1 wishlist
Control: tags -1 - security + wontfix
Control: close -1

Hi,

2016-08-02 15:00 Christoph Anton Mitterer:
>Package: aptitude
>Version: 0.8.2-1
>Severity: important
>Tags: security
>
>
>Hi.
>
>I've just stumbled over the following:
>Aptitude doesn't seem to tell people when the candidate and/or installed version
>of a package is obsolete.
>
>Example:
>- Debian seems to have removed the transcode package already back in March.
>- DMO still ships it however.
>- I do have the transcode package from Debian installed.
>- Via apt_preferences, all but a few packages from the DMO repos are "disabled".
>
>Thus I'd never get any candidate version from DMO, while aptitude still shows
>me the package not being obsolete.
>In a way, of course, it is not fully obsolete, but it will never get any updates
>thus no security updates either.
>
>This is also what I think makes this issue important/security:
>One ends up in a situation where the use will neither get updates (cause it's no
>longer in Debian), nor will he even notice that this is the case (not being
>showed as obsolete).

This effect is an interference caused by the repositories that you use.
Debian doesn't sanction the use of any unofficial repositories, and DMO
is well known in the community for causing all sorts of problems when
using along with the main Debian repositories, such as this one.

Among others, it uses packages with a higher epoch so they always take
precedence over Debian's, even if it's 4:1.2.0 versus 3:1.2.1 or
1:1.4.0.

So it's not aptitude's fault if it's fed with bogus data/information for
the repo, really, and the repository tries actively to screw with the
official Debian packages and play with the versioning system in ways
that cause this kind of problems.

If the example was with another repository which is well maintained and
co-operative, e.g. "mozilla.debian.net" containing a package "iceweasel"
for compatibility (which was removed from Debian), the package shouldn't
be considered obsolete.

Obsolete from aptitude is "installed locally but not found in any repo",
which works well for the main intended uses of aptitude.

So it's not an important bug, and aptitude is not the cause of the
security issue -- using DMO is.

If it's for a matter of security, that repository shouldn't be used at
all, so merely installing stuff from it is a big security liability
compared to Debian and many other well maintained repos.

In a deeper sense, the package is dead upstream, thus not maintained,
thus obsolete and a potential security liability, and that's the reason
why it was removed from Debian.

Cheers.
-- 
Manuel A. Fernandez Montecelo <manuel.montezelo at gmail.com>