Bug#840064: apticron: apt-get stops when an update for a held back package is found

[Michael Lange]

> If the use of "--allow-change-held-packages" seams dangerous to you (it
> might not as we also set "-s" in the command line, it should be safer to
> juste replace "-y" by "--trivial-only" which will answer yes for all non
> dangerous questions and no on the orthers.

Since -s is used it is not a matter of "safe" vs. "dangerous", nothing
will be actually installed anyway. Otoh, with --trivial-only an available
update that however requires "yes" being answered on a "dangerous"
question might get lost in the process.

> What about replacing the whole complicated line by something more simple
> based on apt like this:
> 
> apt list --upgradable 2>/dev/null | sed -ne 's#^\(.*\)/.*$#\1#p'

Sounds reasonable, however I believe there are two problems with this:

1. if the maintainers wish to keep apticron's behavior intact, it is not
possible this way, since NOTIFY_NEW="1" would no longer have any effect
(although most likely the majority of users could live with that).

2. more seriously: the following part from man apt

> The apt(8) commandline is designed as a end-user tool and it may change
> the output between versions. While it tries to not break backward
> compatibility there is no guarantee for it either. All features of apt
> (8) are available in apt-cache(8) and apt-get(8) via APT options.
> Please prefer using these commands in your scripts.  

does not sound like the apt command is the preferred tool for a script
like apticron. Maybe if apticron's developers contacted the apt
development team, they could reassure them that this part of the cli is
no subject for changes, though.

Bug#840064: apticron: apt-get stops when an update for a held back package is found

[Landry Minoza]

If the use of "--allow-change-held-packages" seams dangerous to you (it
might not as we also set "-s" in the command line, it should be safer to
juste replace "-y" by "--trivial-only" which will answer yes for all non
dangerous questions and no on the orthers.

> --trivial-only
> Only perform operations that are 'trivial'. Logically this can be
considered related to --assume-yes; where --assume-yes will answer yes to
any prompt, --trivial-only will answer no. Configuration Item:
APT::Get::Trivial-Only.

What about replacing the whole complicated line by something more simple
based on apt like this:

apt list --upgradable 2>/dev/null | sed -ne 's#^\(.*\)/.*$#\1#p'

-- 
Landry MINOZA
landry.min...@gmail.com

Bug#840064: apticron: apt-get stops when an update for a held back package is found

[Michael Lange]

On Thu, 17 Nov 2016 23:20:57 +0100, Francesco Namuri wrote:

> I looked to the code more carefully seeing that there is a part to
> handle the report oh packages on held status, I suppose it's better
> to improve this part despite of using the allow-change-held-packages
> switch.

I don't think that there is anything wrong with the command line I
suggested in the first post; as far as I understand it does the exact same
as the old command used to do with the old apt syntax. It has been working
well here for several weeks now, and I don't see why it shouldn't do so.

There are other (less important) issues though with the way apticron
calculates the list of upgradable packages (but these have nothing to do
with this apt-syntax issue).

Regards

Michael

Bug#840064: apticron: apt-get stops when an update for a held back package is found

[gregor herrmann]

On Thu, 17 Nov 2016 23:20:57 +0100, Francesco Namuri wrote:

> I looked to the code more carefully seeing that there is a part to
> handle the report oh packages on held status, I suppose it's better
> to improve this part despite of using the allow-change-held-packages
> switch.

Thanks for looking into this issue again!
 
> Nevertheless I continue thinking that this bug must not be a grave one,
> but also not a normal one, so I'm raising it to important.

I don't care so much about the severity, I just hope it's fixed sooon
:)
 
Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Red Hot Chili Peppers: Savior


signature.asc
Description: Digital Signature

Bug#840064: apticron: apt-get stops when an update for a held back package is found

[Francesco Namuri]

severity 840064 important
merge 840064 816959 781639
tags 840064 - moreinfo
thanks

Hello,
I'm sorry I wrote my last email thinking about an unattended upgrade
done using the apticron output (or using apticron directly, but this
isn't possible)

I looked to the code more carefully seeing that there is a part to
handle the report oh packages on held status, I suppose it's better
to improve this part despite of using the allow-change-held-packages
switch.

Nevertheless I continue thinking that this bug must not be a grave one,
but also not a normal one, so I'm raising it to important.



On 17/11/2016 17:56, gregor herrmann wrote:

On Thu, 17 Nov 2016 16:57:30 +0100, Francesco Namuri wrote:


thanks for your bug report. I'm downgrading it to normal severity
waiting for more information. IMHO this is not a bug but I'd like
to see the error you're getting. Can you please attach it to
this report?


What I get is a mail from cron:

  From: Cron Daemon 
  To: root@$domain
  Subject: Cron  if test -x /usr/sbin/apticron; then
/usr/sbin/apticron --cron; else true; fi
  Date: Thu, 17 Nov 2016 16:39:45 +0100

  E: Held packages were changed and -y was used without
--allow-change-held-packages.

And that's all.


Trying to automatically update a package that has the "held"
flag it's a dangerous/unwanted behavior, IMHO the warning/error
should be raised and the executions must stop.


It makes apticron pretty useless as I don't get any information about
which (held or not held) packages are available for updating.


The solution proposed "allow-change-held-packages" it's also
very dangerous, as you can see in the man page:


This is in a line with `apt-get -s' i.e. nothing is updated, it's
just about getting the list of packages by simulating an update.


Cheers,
gregor

Bug#840064: apticron: apt-get stops when an update for a held back package is found

[gregor herrmann]

On Thu, 17 Nov 2016 16:57:30 +0100, Francesco Namuri wrote:

> thanks for your bug report. I'm downgrading it to normal severity
> waiting for more information. IMHO this is not a bug but I'd like
> to see the error you're getting. Can you please attach it to
> this report?

What I get is a mail from cron:

  From: Cron Daemon 
  To: root@$domain
  Subject: Cron  if test -x /usr/sbin/apticron; then 
/usr/sbin/apticron --cron; else true; fi
  Date: Thu, 17 Nov 2016 16:39:45 +0100

  E: Held packages were changed and -y was used without 
--allow-change-held-packages.

And that's all.
 
> Trying to automatically update a package that has the "held"
> flag it's a dangerous/unwanted behavior, IMHO the warning/error
> should be raised and the executions must stop.

It makes apticron pretty useless as I don't get any information about
which (held or not held) packages are available for updating.
 
> The solution proposed "allow-change-held-packages" it's also
> very dangerous, as you can see in the man page:

This is in a line with `apt-get -s' i.e. nothing is updated, it's
just about getting the list of packages by simulating an update.
 

Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Rolling Stones: Lonely


signature.asc
Description: Digital Signature

Bug#840064: apticron: apt-get stops when an update for a held back package is found

[Francesco Namuri]

severity 840064 normal
tag 840064 moreinfo
thanks

Hello Michael,
thanks for your bug report. I'm downgrading it to normal severity
waiting for more information. IMHO this is not a bug but I'd like
to see the error you're getting. Can you please attach it to
this report?

Trying to automatically update a package that has the "held"
flag it's a dangerous/unwanted behavior, IMHO the warning/error
should be raised and the executions must stop.

The solution proposed "allow-change-held-packages" it's also
very dangerous, as you can see in the man page:

"
--allow-change-held-packages
   Force yes; this is a dangerous option that will
   cause apt to continue without prompting if it is
   changing held packages. It should not be used
   except in very special situations. Using it can
   potentially destroy your system! Configuration
   Item: APT::Get::allow-change-held-packages.
   Introduced in APT 1.1.
"

Ciao,
Francesco

Bug#840064: apticron: apt-get stops when an update for a held back package is found

[Michael Lange]

Package: apticron
Version: 1.1.59
Severity: grave
Justification: renders package unusable

Dear Maintainer,

first I should mention that I never used apticron myself, but I borrowed the
part of the apticron script that generates the list of upgradable packages for
a custom script here. Since the affected command line is also still present in
the latest apticron package, I assume this problem applies to apticron, too. If
I am mistaken with that, I apologize in advance.

Today I noticed that on debian testing my script did not work any longer, since
the call of

PKGNAMES=`/usr/bin/apt-get -q -y --ignore-hold --allow-unauthenticated -s
dist-upgrade...

stopped with an error message, because an update for a held package is
available and --allow-change-held-packages was missing from the command line.
I am not 100% sure, but I think a couple days ago this still used to work, so I
guess that this is caused by a recent update to apt-1.3 which appears to break
the usability of this use of command line options.

The solution I found and which (at least in my script) appears to work well, is
to change the command line into

PKGNAMES=`/usr/bin/apt-get -q -y --ignore-hold --allow-unauthenticated
--allow-downgrades --allow-remove-essential --allow-change-held-packages -s
dist-upgrade...

According to the apt-get manpage this should work with apt versions >= 1.1 .

Best regards

Michael Lange




-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apticron depends on:
ii  apt 1.0.9.8.3
ii  bsd-mailx [mailx]   8.1.2-0.20141216cvs-2
ii  bzip2   1.0.6-7+b3
ii  cron [cron-daemon]  3.0pl1-127+deb8u1
ii  debconf [debconf-2.0]   1.5.56
ii  dpkg1.17.27
ii  heirloom-mailx [mailx]  12.5-4
ii  ucf 3.0030

Versions of packages apticron recommends:
ii  apt-listchanges  2.85.13+nmu1
ii  iproute2 3.16.0-2

apticron suggests no packages.