Package: munin-plugins-core
Version: 2.0.49-1
Severity: important
Hi,
I've noticed strange behaviour with the apt_all plugin, which alternates
between the OK (0 pending) and UNKNOWN status for e.g. buster and
buster-proposed-updates, leading to many notification mails.
Looking into it, it seems there are a few serious problems for something
that one might be tempted to trust to reflect the need for updating a
system…
Problem 1: This is not reproducible.
sub guess_releases() {
…
return keys %release_names;
}
as the various known suites will not be returned in the same order.
Switching to “sort keys” fixes this issue.
Problem 2: This doesn't do what it should.
sub print_state() {
…
while (my $line = <STATE>) {
foreach my $release (@releases) {
my $release_cleaned = clean_fieldname($release);
# print only lines that are exected for the currently requested
releases
print $line if ($line =~
/^(hold|pending)_$release_cleaned\.(value|extinfo)/);
last;
}
}
close STATE;
}
One could see the “last;” as an optimization: if a line matches, don't
bother checking the other release. But it's not inside the matching
conditional! Meaning whatever result the first line gets (match or no
match), one gets out of the loop…
Dropping the “last;” fixes this issue. (One could optimize a little by
using a regular if() form, and putting the “last;” inside.)
Problem 3: This plugin doesn't report security updates!
# try to determine the currently available distributions by inspecting the
repository URLs
sub guess_releases() {
open(my $fh, "-|", "apt-get update --print-uris")
or die("Failed to determine distribution releases via 'apt-get
update --print-uris");
my %release_names;
my $line;
while ( ! eof($fh) ) {
defined( $line = readline $fh ) or die "Failed to read line from
output of 'apt-get': $!";
# example line:
# 'http://ftp.debian.org/debian/dists/stable/InRelease'
ftp.debian.org_debian_dists_stable_InRelease 0
if ($line =~ m'^.*/dists/([^/]+)/.*$') {
$release_names{$1} = 1;
}
}
return keys %release_names;
}
The m'^.*/dists/([^/]+)/.*$' pattern doesn't allow for distribution
names with slashes, meaning no luck for buster/updates.
Switching to m'^.*/dists/(.+)/(?:In)?Release.*$' would fix the suite
detection, but then the plugin wouldn't work properly anyway:
E: The value 'buster/updates' is invalid for APT::Default-Release as such a
release is not available in the sources
I'm not sure how to best approach a possible fix for this third problem,
so I'll try and check what the “apt” plugin does (it seems to lump all
updates in a single value). If “apt_all” is not fixed in this regard…
well it seems to me it's actively harmful to our users as they are *not*
trackingsecurity updates?
Cheers,
--
Cyril Brulebois (k...@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
