Package: munin-plugins-core Version: 2.0.49-1 Severity: important Hi,
I've noticed strange behaviour with the apt_all plugin, which alternates between the OK (0 pending) and UNKNOWN status for e.g. buster and buster-proposed-updates, leading to many notification mails. Looking into it, it seems there are a few serious problems for something that one might be tempted to trust to reflect the need for updating a system… Problem 1: This is not reproducible. sub guess_releases() { … return keys %release_names; } as the various known suites will not be returned in the same order. Switching to “sort keys” fixes this issue. Problem 2: This doesn't do what it should. sub print_state() { … while (my $line = <STATE>) { foreach my $release (@releases) { my $release_cleaned = clean_fieldname($release); # print only lines that are exected for the currently requested releases print $line if ($line =~ /^(hold|pending)_$release_cleaned\.(value|extinfo)/); last; } } close STATE; } One could see the “last;” as an optimization: if a line matches, don't bother checking the other release. But it's not inside the matching conditional! Meaning whatever result the first line gets (match or no match), one gets out of the loop… Dropping the “last;” fixes this issue. (One could optimize a little by using a regular if() form, and putting the “last;” inside.) Problem 3: This plugin doesn't report security updates! # try to determine the currently available distributions by inspecting the repository URLs sub guess_releases() { open(my $fh, "-|", "apt-get update --print-uris") or die("Failed to determine distribution releases via 'apt-get update --print-uris"); my %release_names; my $line; while ( ! eof($fh) ) { defined( $line = readline $fh ) or die "Failed to read line from output of 'apt-get': $!"; # example line: # 'http://ftp.debian.org/debian/dists/stable/InRelease' ftp.debian.org_debian_dists_stable_InRelease 0 if ($line =~ m'^.*/dists/([^/]+)/.*$') { $release_names{$1} = 1; } } return keys %release_names; } The m'^.*/dists/([^/]+)/.*$' pattern doesn't allow for distribution names with slashes, meaning no luck for buster/updates. Switching to m'^.*/dists/(.+)/(?:In)?Release.*$' would fix the suite detection, but then the plugin wouldn't work properly anyway: E: The value 'buster/updates' is invalid for APT::Default-Release as such a release is not available in the sources I'm not sure how to best approach a possible fix for this third problem, so I'll try and check what the “apt” plugin does (it seems to lump all updates in a single value). If “apt_all” is not fixed in this regard… well it seems to me it's actively harmful to our users as they are *not* trackingsecurity updates? Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant