[Pkg-nagios-devel] Bug#827757: apt-get upgrade doesn't want to upgrade packages in need of an upgrade

[David Kalnischkies]

Control: reassign -1 monitoring-plugins-basic

On Mon, Jun 20, 2016 at 04:52:37PM +0200, Christoph Anton Mitterer wrote:
> apt however, doesn't upgade:
> # apt-get upgrade

"apt-get upgrade" is documented to not install new (or remove) packages.
It is strictly upgrading only. New packages can introduce new interfaces
and especially new (potentially internet-facing) deamons and are hence
not "safe" – at least not as safe as just upgrading is which is
frequently done unattended (by a program or on "autopilot" by a human).

aptitude doesn't have this restricting. "apt upgrade" hasn't either btw.
Even "apt-get upgrade" can be told to lift this restriction with
"--with-new-pkgs".

So, not a bug in apt(-get) – it is a feature! ;)


> I'd guess that the check_apt Icinga/Nagios check uses apt-get upgrade
> to look for upgradable packages, because it returns:
> # /usr/lib/nagios/plugins/check_apt
> APT OK: 0 packages available for upgrade (0 critical updates). |available_upgrades=0;;;0 critical_updates=0;;;0
> 
> Which is bad of course, and the security problem here.

I guess the nagios check shouldn't use 'apt-get upgrade', but that
depends on what it is supposed to show (aka what its users expect) and
what it actually uses (based on "critical updates" I guess it is using
its own code, perhaps a binding…) but both I don't know hence
reassigning.


Best regards

David Kalnischkies
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20160620/1ec6d268/attachment.sig>