[Aptitude-devel] Bug#833482: Bug#833482: aptitude: doesn't detect obsolete candidate package (versions)

Sat Aug 6 12:42:38 UTC 2016

Hi,

while Manuel already lowered the severity and removed the security
tag, I also started to write a similar reply but haven't found time to
finish it.

As I have suggestions on how to do what you want just by configuring
aptitude differently, I'll still post my reply:

Christoph Anton Mitterer wrote:
> Aptitude doesn't seem to tell people when the candidate and/or installed version
> of a package is obsolete.

I'm sorry, but that's not true. Obsolete packages show up in the
"Obsolete and Locally Created Packages" branch.

> - Debian seems to have removed the transcode package already back in March.
> - DMO still ships it however.

Then the package is not obsolete because it's downloadable. Please see
https://aptitude.alioth.debian.org/doc/en/ch02s04s05.html#searchObsolete
for what "obsolete" means in aptitude's context.

> - I do have the transcode package from Debian installed.
> - Via apt_preferences, all but a few packages from the DMO repos are "disabled".
> 
> Thus I'd never get any candidate version from DMO, while aptitude still shows
> me the package not being obsolete.

I don't see the problem. That's what you configured, so that's what
you get.

> In a way, of course, it is not fully obsolete,

Exactly.

> but it will never get any updates thus no security updates either.

Yes, because you configured it to do so. If you wouldn't have added
the DMO repos, it would clearly show up in the "Obsolete and Locally
Created Packages" branch.

> This is also what I think makes this issue important/security:
> One ends up in a situation where the use will neither get updates (cause it's no
> longer in Debian), nor will he even notice that this is the case (not being
> showed as obsolete).

I strongly disagree here. You ask for "A" despite your configuration
says "B".

BTW: You can get all those package if you use "aptitude search" or the
TUI's "limit" command with "~i ?any-version(!~O.) !~U !~o". This
matches both, packages newer than in the archive as well as packages
with newer versions available, but pinned down.

You can even use this pattern in the configurable grouping method for
package views (Aptitude::UI::Default-Grouping). So if you want this in
the TUI, it's already possible: Just prepend "pattern(~i
?any-version(!~O.) !~U !~o => Non-upgradable packages not from
archive, ?true ||)," to Aptitude::UI::Default-Grouping (i.e. before
"status") and then you get a new branch in the TUI which shows only
these packages. (Might need some more finetuning for further
corner-cases but works for me as commandline alias well enough for
years now.)

We might consider adding such a branch to aptitude's TUI, but at least
the implementation above is rather slow, so unless we find a more
efficient pattern or some other more direct way, I'd not add that. (So
Manuel's "wontfix" tag is correct for the time being.)

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE