Public bug reported:
In Kubuntu KDE system settings, there is an option to enable automatic
updates. However I wondered why this never actually updated the system,
despite that I had automatic updates enabled for some time.
Turns out, KDE uses Discover to update the system unattended. And
discover uses packagekit to trigger offline updates.
Now here is the problem: Usually this would work. It does on other
distros which don't patch the polkit policy. But not on (K)ubuntu.
In the package sources there is a patch for the debian/ubuntu package:
<packagesrc>/debian/patches/policy.diff
This patch does change the permission to do offline updates from all
active users to only admins.
Here:
```
@@ -273,7 +271,7 @@
<action id="org.freedesktop.packagekit.trigger-offline-update">
<!-- SECURITY:
- - Normal users are able to ask updates to be installed at
+ - Administrators are able to ask updates to be installed at
early boot time without a password.
-->
<description>Trigger offline updates</description>
@@ -282,7 +280,7 @@
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
- <allow_active>yes</allow_active>
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
```
With this patch, it prompts the user for a password before allowing
offline updates. Now in unattended update mode, this prompt is hidden.
So basically with that patch, unattended updates on Kubuntu just fail
silently.
Removing this patch (or at least reverting the change in this
"org.freedesktop.packagekit.trigger-offline-update" action) makes auto
updates work again.
Please remove this change from the patch (or even the whole patch? this
was last modified in 2012, so should be reviewed if still needed).
** Affects: packagekit (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
- In Kubuntu in KDE system settings, there is a setting to enable
- automatic updates. However I wondered why this never actually updated
- the system, despite that I had automatic updates enabled for some time.
+ In Kubuntu KDE system settings, there is an option to enable automatic
+ updates. However I wondered why this never actually updated the system,
+ despite that I had automatic updates enabled for some time.
Turns out, KDE uses Discover to update the system unattended. And
discover uses packagekit to trigger offline updates.
Now here is the problem: Usually this would work. It does on other
distros which don't patch the polkit policy. But not on (K)ubuntu.
In the package sources there is a patch for the debian/ubuntu package:
<packagesrc>/debian/patches/policy.diff
This patch does change the permission to do offline updates from all
active users to only admins.
Here:
```
@@ -273,7 +271,7 @@
-
- <action id="org.freedesktop.packagekit.trigger-offline-update">
- <!-- SECURITY:
+
+ <action id="org.freedesktop.packagekit.trigger-offline-update">
+ <!-- SECURITY:
- - Normal users are able to ask updates to be installed at
+ - Administrators are able to ask updates to be installed at
- early boot time without a password.
- -->
- <description>Trigger offline updates</description>
+ early boot time without a password.
+ -->
+ <description>Trigger offline updates</description>
@@ -282,7 +280,7 @@
- <defaults>
- <allow_any>auth_admin</allow_any>
- <allow_inactive>auth_admin</allow_inactive>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
- <allow_active>yes</allow_active>
+ <allow_active>auth_admin_keep</allow_active>
- </defaults>
- </action>
+ </defaults>
+ </action>
```
With this patch, it prompts the user for a password before allowing
offline updates. Now in unattended update mode, this prompt is hidden.
So basically with that patch, unattended updates on Kubuntu just fail
silently.
Removing this patch (or at least reverting the change in this
"org.freedesktop.packagekit.trigger-offline-update" rule) makes auto
updates work again.
Please remove this change from the patch (or even the whole patch? this
was last modified in 2012, so should be reviewed if still needed).
** Description changed:
In Kubuntu KDE system settings, there is an option to enable automatic
updates. However I wondered why this never actually updated the system,
despite that I had automatic updates enabled for some time.
Turns out, KDE uses Discover to update the system unattended. And
discover uses packagekit to trigger offline updates.
Now here is the problem: Usually this would work. It does on other
distros which don't patch the polkit policy. But not on (K)ubuntu.
In the package sources there is a patch for the debian/ubuntu package:
<packagesrc>/debian/patches/policy.diff
This patch does change the permission to do offline updates from all
active users to only admins.
Here:
```
@@ -273,7 +271,7 @@
<action id="org.freedesktop.packagekit.trigger-offline-update">
<!-- SECURITY:
- - Normal users are able to ask updates to be installed at
+ - Administrators are able to ask updates to be installed at
early boot time without a password.
-->
<description>Trigger offline updates</description>
@@ -282,7 +280,7 @@
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
- <allow_active>yes</allow_active>
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
```
With this patch, it prompts the user for a password before allowing
offline updates. Now in unattended update mode, this prompt is hidden.
So basically with that patch, unattended updates on Kubuntu just fail
silently.
Removing this patch (or at least reverting the change in this
- "org.freedesktop.packagekit.trigger-offline-update" rule) makes auto
+ "org.freedesktop.packagekit.trigger-offline-update" action) makes auto
updates work again.
Please remove this change from the patch (or even the whole patch? this
was last modified in 2012, so should be reviewed if still needed).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1955489
Title:
Patch to polkit policy breaks automatic/unattended updates
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1955489/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
