Ubuntu
apt-setup package

Installer disables security updates when they do not verify at install time

Bug #256098 reported by Christian Hudon
30
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apt-setup (Ubuntu)
Fix Released
High
Colin Watson
Declined for Intrepid by Steve Langasek
Hardy
Won't Fix
Undecided
Unassigned

Bug Description

I installed hardy from scratch on a server using the alternate installer cd last week. This week I go have a look in my /etc/apt/sources.list file (for some other reason), and I see the following:

# Line commented out by installer because it failed to verify:
#deb http://security.ubuntu.com/ubuntu hardy-security main restricted
# Line commented out by installer because it failed to verify:
#deb-src http://security.ubuntu.com/ubuntu hardy-security main restricted
# Line commented out by installer because it failed to verify:
#deb http://security.ubuntu.com/ubuntu hardy-security universe
# Line commented out by installer because it failed to verify:
#deb-src http://security.ubuntu.com/ubuntu hardy-security universe
# Line commented out by installer because it failed to verify:
#deb http://security.ubuntu.com/ubuntu hardy-security multiverse
# Line commented out by installer because it failed to verify:
#deb-src http://security.ubuntu.com/ubuntu hardy-security multiverse

So... If I hadn't gone to have a look, I would have had security updates disabled forever, because they "failed to verify" at install time. My guess is that these lines "didn't verify" because I didn't have an Internet connection up at install time, but the reason doesn't matter all that much. Whatever the reason, these lines should never be commented out! Skip them that time when they don't verify (and maybe they'll verify okay the next time), but don't comment them out!

Getting off soapbox now. Thanks. :-)

Related branches

lp:ubuntu/lucid/apt-setup
Revision history for this message
Mario Limonciello (superm1) wrote :

This seems to affect desktop CD installs too.

Changed in apt-setup:
status: New → Confirmed
Revision history for this message
Wouter Stomp (wouterstomp-deactivatedaccount) wrote :

Wubi installs are also affected. This should probably have its priority raised to high or critical, because disabling all security updates is very problematic.

Revision history for this message
Duncan Lithgow (duncan-lithgow) wrote :

Problem persists for Jaunty alternative, alpha 2. Why is the importance not set to high and why is this bug not marked as a security vulnerability? I don't have rights to make these changes.

Revision history for this message
Philip Lowman (philip-yhbt) wrote :

This bug needs to be fixed. I can't believe it's been sitting in the hopper for 4 months now.

The security repositories should be enabled by default just like the standard repositories are. There is no valid reason for one to be enabled and the other to be disabled. Enable them both always and let the exceptions sort themselves out (the small number of users without internet access seeking to add packages via cdrom after the install process).

Colin Watson (cjwatson)
Changed in apt-setup:
assignee: nobody → kamion
importance: Undecided → High
status: Confirmed → Triaged
Colin Watson (cjwatson)
Changed in apt-setup:
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt-setup - 1:0.37ubuntu8

---------------
apt-setup (1:0.37ubuntu8) jaunty; urgency=low

  * Remove /var/lib/install-cd.id if cd_type ends with /single, to avoid
    unnecessary problems remounting the CD (LP: #294365).
  * Enable all network sources, including security updates, even if the
    network is unconfigured (LP: #256098).
  * Fix handling of universe and multiverse in -backports lines.

 -- Colin Watson <email address hidden> Fri, 09 Jan 2009 15:41:53 +0000

Changed in apt-setup:
status: Fix Committed → Fix Released
Revision history for this message
Wouter Stomp (wouterstomp-deactivatedaccount) wrote :

It would probably be good to backport this for 8.04.2 as well if it isn't too late for that?

Revision history for this message
Duncan Lithgow (duncan-lithgow) wrote :

How do we tell launchpad that this fixed for jaunty, but still an issue for intrepid and hardy?

Revision history for this message
Philip Lowman (philip-yhbt) wrote :

Colin,

Thanks very much for fixing this bug.

Duncan,

One way appears to be to nominate the bug for backporting to a particular release of Ubuntu. I've done so both for hardy and intrepid. I have no idea if intrepid will have an 8.10.1 release though and if it doesn't this bug will continue to affect 8.10 installs in perpetuity.

It's hard to say how many systems out there don't have security updates enabled because of this bug. One thing Canonical could do is push out an update to a package in the updates tree to check to see if /etc/apt/sources.list has security.ubuntu.com commented out or not. Then they could fix the problem retroactively. This is something that could be deployed on both intrepid and hardy and so long as the user is updating their system at all they would get the fix. If this method were employed patching the installers would be a good idea but probably optional (barring a dependency issue between ubuntu-updates and a nonexistent ubuntu-security).

Revision history for this message
Rolf Leggewie (r0lf) wrote :

Hardy has seen the end of its life and is no longer receiving any updates. Marking the Hardy task for this ticket as "Won't Fix".

Changed in apt-setup (Ubuntu Hardy):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.