ubuntu-security-tools

Merge ~alexmurray/ubuntu-security-tools:upgradeable-version into ubuntu-security-tools:master

  1. Git
  2. lp:~alexmurray/ubuntu-security-tools
  3. upgradeable-version
  4. Merge into master
Proposed by Alex Murray
Status: Merged
Merged at revision: ab37bcd7d8839c30693cbbd09b0eec33fb98846f
Proposed branch: ~alexmurray/ubuntu-security-tools:upgradeable-version
Merge into: ubuntu-security-tools:master
Diff against target: 38 lines (+27/-0)
1 file modified
package-tools/check-source-package (+27/-0)
Reviewer Review Type Date Requested Status
Ubuntu Security Team Pending
Review via email: mp+374411@code.launchpad.net

Description of the change

It was noticed that we had previously published an update for openjpeg2 in bionic which would not be able to be upgraded when doing a release upgrade to say disco/eoan etc:

$ rmadison -u ubuntu openjpeg2
 openjpeg2 | 2.1.0-2.1 | xenial/universe | source
 openjpeg2 | 2.1.2-1.1+deb9u3build0.16.04.1 | xenial-security/universe | source
 openjpeg2 | 2.1.2-1.1+deb9u3build0.16.04.1 | xenial-updates/universe | source
 openjpeg2 | 2.3.0-1 | bionic/universe | source
 openjpeg2 | 2.3.0-2 | disco/universe | source
 openjpeg2 | 2.3.0-2 | eoan/universe | source
 openjpeg2 | 2.3.0-2 | focal/universe | source
 openjpeg2 | 2.3.0-2build0.18.04.1 | bionic-security/universe | source
 openjpeg2 | 2.3.0-2build0.18.04.1 | bionic-updates/universe | source

Note that 2.3.0-2build0.18.04.1 now published to bionic-security and hence bionic-updates has a greater version than 2.3.0-2 in disco/eoan/focal so when a user upgrades to disco/eoan/focal openjpeg2 will not be upgraded to the appropriate version.

So we update check-source-package so that when running umt check in this case, the following extra output is emitted:

Upgradeable version: FAIL
 Current: 2.3.0-2build0.18.04.1 in bionic-security
 Found:
    2.3.0-2 in focal
    2.3.0-2 in eoan
    2.3.0-2 in disco

To post a comment you must log in.
Revision history for this message
Emilia Torino (emitorino) wrote :

LGTM!

BTW, Is it there any way to fix the issue in openjpeg2? or any other package having the same issue? something like a forced update?

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Just a minor comment, it is supersede instead of supercede. But this shouldn't impact the merge and can be fixed later on.

Revision history for this message
Alex Murray (alexmurray) wrote :

emitorino - yes ebarretto pushed no-change-rebuilds with new version numbers to the newer releases so that they now have higher version numbers to deal with this:

https://launchpad.net/ubuntu/+source/openjpeg2/2.3.0-2build0.19.04.1
https://launchpad.net/ubuntu/+source/openjpeg2/2.3.0-2build0.19.10.1
https://launchpad.net/ubuntu/+source/openjpeg2/2.3.0-2build1

ebarretto - seems I am not the only one to misspell it since we have 1 occurrence of the correct spelling in the repo currently and 2 of the misspelling:

amurray@slate:~/ubuntu/git/ubuntu-security-tools[master|?P]$ rg -i supersede
build-tools/umt
2969: err("You will supersede the PPA and --esm is missing. Aborting.")

amurray@slate:~/ubuntu/git/ubuntu-security-tools[master|?P]$ rg -i supercede
repo-tools/am
4:# Get a list of current source package versions, ignoring superceded stuff

doc/wiki/deleted_SecurityTeam_UpdateProceduresDAK
4:'''IMPORTANT:''' These instructions have been superceded by SecurityTeam/UpdatePublication

So for now I will merge this as is and we can fix the spelling later :)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/package-tools/check-source-package b/package-tools/check-source-package
2index 4f38478..62ae75c 100755
3--- a/package-tools/check-source-package
4+++ b/package-tools/check-source-package
5@@ -702,6 +702,33 @@ check_version() {
6 echo "pass"
7 fi
8
9+ # check we are not superceding a version in a later release which would
10+ # prevent updating to the other release's package on upgrade
11+ format_test_name "Upgradeable version"
12+ superceded=""
13+ # get timestamp of this release
14+ distdate=$(date -d $(curl -s https://api.launchpad.net/1.0/ubuntu/"${dist%%-*}" | grep -o '"date_created": "[0-9T:.+-]\+"' | sed 's/.*"\([0-9T:.+-]\+\)".*/\1/') +%s)
15+ while read -r oldversion oldseries; do
16+ # get timestamp of published release
17+ olddist="${oldseries%%/*}"
18+ olddate=$(date -d $(curl -s https://api.launchpad.net/1.0/ubuntu/"${olddist%%-*}" | grep -o '"date_created": "[0-9T:.+-]\+"' | sed 's/.*"\([0-9T:.+-]\+\)".*/\1/') +%s)
19+ if [ $olddate -gt $distdate ]; then
20+ if dpkg --compare-versions "$version" gt "$oldversion"; then
21+ superceded="$oldversion $olddist\n$superceded"
22+ fi
23+ fi
24+ done < <(rmadison -u ubuntu "$package" | awk '{print $3 " " $5}')
25+ if [ -n "$superceded" ]; then
26+ failed "FAIL"
27+ echo " Current: $version in $dist"
28+ echo " Found: "
29+ while read -r oldversion olddist; do
30+ if [ ! -z "$oldversion" ]; then
31+ echo " $oldversion in $olddist"
32+ fi
33+ done < <(echo -e "$superceded")
34+ fi
35+
36 if echo "$version" | grep -E -q '~ppa[a-zA-Z0-9]+$' ; then
37 warned "PPA version detected"
38 fi

Subscribers

People subscribed via source and target branches