Public bug reported: I came across a scenario where the output of `/usr/lib/update-notifier /apt-check --human-readable` is showing some (not all) esm updates as being installable when esm itself is disabled:
ubuntu@trusty-desktop:~$ sudo /usr/lib/update-notifier/apt-check --human-readable UA Infrastructure Extended Security Maintenance (ESM) is not enabled. 456 updates can be installed immediately. 10 of these updates are provided through UA Infrastructure ESM. 378 of these updates are security updates. To see these additional updates run: apt list --upgradable Enable UA Infrastructure ESM to receive 127 additional security updates. See https://ubuntu.com/advantage or run: sudo ua status If you look carefully, you will see that it's contradicting itself by saying esm is enabled and disabled at the same time: - 10 ESM updates can be installed immediately - ESM is disabled, and if you enable ESM you will get 127 additional updates I believe this comes from apt_check.py:253: # now check for security updates that are masked by a # canidate version from another repo (-proposed or -updates) for ver in pkg.version_list: if (inst_ver and apt_pkg.version_compare(ver.ver_str, inst_ver.ver_str) <= 0): #print("skipping '%s' " % ver.VerStr) continue if isESMUpgrade(ver): esm_updates += 1 if isSecurityUpgrade(ver): security_updates += 1 break I believe that is ignoring the fact that ESM is disabled. I added a pdb to check which package it was considering as an esm update, and the first response was dbus, which is in this peculiar state in the archive: ubuntu@trusty-desktop:~$ apt-cache policy dbus dbus: Installed: 1.6.18-0ubuntu4.3 Candidate: 1.6.18-0ubuntu4.5 Version table: 1.6.18-0ubuntu4.5+esm1 0 -32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages 1.6.18-0ubuntu4.5 0 500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 1.6.18-0ubuntu4.4 0 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages *** 1.6.18-0ubuntu4.3 0 100 /var/lib/dpkg/status 1.6.18-0ubuntu4 0 500 http://br.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages Maybe we just need to guard that isESMUpgrade(ver) call with "if have_esm and isESMUpgrade(ver)"? The other place in the code a bit up from the above which also increments esm_updates isn't run in this scenario, so the 10 packages must come from the check I highlighted above. Other info: update-notifier 0.154.1ubuntu8 from trusty-updates ubuntu-advantage-tools 19.6~ubuntu14.04.4 from trusty-updates ua is attached, but esm disabled: ubuntu@trusty-desktop:~$ ua status SERVICE ENTITLED STATUS DESCRIPTION cc-eal yes n/a Common Criteria EAL2 Provisioning Packages cis-audit no — Center for Internet Security Audit Tools esm-infra yes disabled UA Infra: Extended Security Maintenance fips yes n/a NIST-certified FIPS modules fips-updates yes n/a Uncertified security updates to FIPS modules livepatch yes disabled Canonical Livepatch service Enable services with: ua enable <service> Account: andreas.hasen...@canonical.com Subscription: andreas.hasen...@canonical.com ** Affects: update-notifier (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883315 Title: Showing esm update as installable when esm is disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1883315/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs