[Aptitude-devel] Bug#328620: aptitude: Status grouppolicy miscategorizes security updates retrieved from apt-proxy

Tue Mar 1 19:27:33 UTC 2016

Hi all,

Removing a few people/lists which I don't think that it will be
interesting, keeping others from previous messages of the related bug
report.

I don't know if ftpmasters@ is really adequate to mail here, if so sorry
(tell me and I'll not include you in the next).  You were CCed in a
previous message, and I think that your input might be valuable.

So we started with:

2005-09-16 12:47 Michal Politowski:
>Package: aptitude
>Version: 0.2.15.9-2
>Severity: minor
>
>It looks like aptitude puts only packages downloaded from
>security.debian.org into the 'Security Updates' group.
>Thus getting security updates from mirrors, including automatic ones
>created with apt-proxy and the like, means they will be categorized
>as 'Upgradable Packages'.
>Not that this is much of a problem in practice, but maybe some
>other reliable method of recognizing them can be created.

... and ...

2008-02-21 11:02 Roger Lynn:
>Package: aptitude
>Version: 0.4.4-4
>Followup-For: Bug #328620
>
>This also applies to updates from the official Debian security mirrors,
>listed in
>http://lists.debian.org/debian-devel-announce/2007/10/msg00010.html
>
>Packages from security.eu.debian.org and security.us.debian.org are
>classified as "Upgradable" instead of as "Security Updates".
>
>At the moment the only way I can tell which upgrades are security
>updates is by adding security.debian.org back into my sources.list,
>which is somewhat suboptimal.

The reply to both issues above is that aptitude can also compare against
the Label of the release file, which is "Debian-Security" (at least in
security{,.eu,.us}.d.o).

What I am not sure is if this can become a problem at some point, for
example if other mirrors/repos use "Debian-Security" as label either on
purpose or by mistake (incl. older releases of derivatives but that
might have higher version numbers than in Debian for some packages), and
so they can mislead users into installing Security Upgrades that aren't.

I guess that if the users already accepted a mirror that does this, and
if they convinced the user to install the keys for those repositories,
there's not much that we can do -- if packages are not classified as
"Security Updates" they will be as normal Updates, so almost the same
problem.

Comparing against "Debian-Security" only will help the case of proxies.

Comparing against both "Debian-Security" and security.*.d.o, or just the
latter (if all mirrors are guaranteed to follow this pattern), is
another possibility that at least helps in some cases.

2014-10-21 10:16 Axel Beckert:
>
>> I don't know exactly what criteria aptitude is using to sort those
>> updates so I can't really tell you. I'm putting the aptitude developers
>> in copy so that they can reply.
>
>Thanks.
>
>Aptitude uses what "apt-cache policy" shows (well, not literally).
>From "apt-cache policy"'s output:
>
>Debian Squeeze Security:
>
> 500 http://security.debian.org/ squeeze/updates/main i386 Packages
>     release v=6.0,o=Debian,a=oldstable,n=squeeze,l=Debian-Security,c=main
>     origin security.debian.org

^^ I got the idea of comparing against "Debian-Security" from this one,
thanks.

>But then again -- should we really declare Squeeze LTS updates as
>security updates? I don't think so. They were announced as not being
>equivalent, the "S" in "DLA" is missing, there's no more distinction
>between security- and non-security-updates (AFAIK), etc.
>
>I also don't recommend to not change the current setup significantly
>during the squeeze-lts cycle to not mess with people's already
>established setups. It's merely something which we should think about
>for wheezy-lts to make it better there.

Due to the reasons above and the lack of replies to this report, I guess
that the answer is to not call LTS stuff "Security Updates".

Cheers.
-- 
Manuel A. Fernandez Montecelo <manuel.montezelo at gmail.com>