How are package updates defined as security updates?
I've created and published a mirror of the Ubuntu repositories for Xenial using aptly. This includes xenial and xenial-updates downloaded from my country specific Ubuntu mirror. I've taken xenial-security from http://security.ubuntu.com. I can use all apt or apt-get update and upgrade commands normally with this mirror to manually upgrade systems.
My issue is that unattended-upgrades with security only updates configured will not register any packages as available to upgrade. Likewise after using apt update, the motd message on login will say something like:
261 packages can be updated.
0 updates are security updates.
If I switch back to the default repositories and run the same command, motd changes to:
261 packages can be updated.
176 updates are security updates.
Running unattended-upgrade --dry-run -d has similar results, plenty of security updates if I use the default mirrors, but none from my local mirror.
Evidently I'm losing whatever marks the packages as security updates in my mirroring process.
How does apt determine that a package update is a security update once the package list has been updated? What do I have to do to accurately mirror this?
apt package-management repository mirrors unattended-upgrades
edited Feb 1 at 3:16
Community♦
1
asked Jan 30 at 12:51
ArronicalArronical
13.6k84993
add a comment |
I've created and published a mirror of the Ubuntu repositories for Xenial using aptly. This includes xenial and xenial-updates downloaded from my country specific Ubuntu mirror. I've taken xenial-security from http://security.ubuntu.com. I can use all apt or apt-get update and upgrade commands normally with this mirror to manually upgrade systems.
My issue is that unattended-upgrades with security only updates configured will not register any packages as available to upgrade. Likewise after using apt update, the motd message on login will say something like:
261 packages can be updated.
0 updates are security updates.
If I switch back to the default repositories and run the same command, motd changes to:
261 packages can be updated.
176 updates are security updates.
Running unattended-upgrade --dry-run -d has similar results, plenty of security updates if I use the default mirrors, but none from my local mirror.
Evidently I'm losing whatever marks the packages as security updates in my mirroring process.
How does apt determine that a package update is a security update once the package list has been updated? What do I have to do to accurately mirror this?
apt package-management repository mirrors unattended-upgrades
edited Feb 1 at 3:16
Community♦
1
asked Jan 30 at 12:51
ArronicalArronical
13.6k84993
Nothing 'marks' a security update, they simply come from a specific pocket (-security). Passing packages through a local repo (as opposed to a caching proxy) should indeed confuse the motd scripts.
– user535733
Feb 1 at 5:56
@user535733 I've found out that it's due to aptly changing the 'Origin:' field in the InRelease file to match the publishing endpoint. The scripts responsible for updating motd and for determining whether updates are security updates will only accept the origin being 'Ubuntu'. Once I modified the Inrelease file on my mirror the xenial-security pocket was recognised as being a valid source for security updates. I think that belongs in a new question and answer though. It was interesting to note that the motd message is updated immediately after anyapt updatecommand though.
– Arronical
Feb 1 at 9:13
add a comment |
I've created and published a mirror of the Ubuntu repositories for Xenial using aptly. This includes xenial and xenial-updates downloaded from my country specific Ubuntu mirror. I've taken xenial-security from http://security.ubuntu.com. I can use all apt or apt-get update and upgrade commands normally with this mirror to manually upgrade systems.
My issue is that unattended-upgrades with security only updates configured will not register any packages as available to upgrade. Likewise after using apt update, the motd message on login will say something like:
261 packages can be updated.
0 updates are security updates.
If I switch back to the default repositories and run the same command, motd changes to:
261 packages can be updated.
176 updates are security updates.
Running unattended-upgrade --dry-run -d has similar results, plenty of security updates if I use the default mirrors, but none from my local mirror.
Evidently I'm losing whatever marks the packages as security updates in my mirroring process.
How does apt determine that a package update is a security update once the package list has been updated? What do I have to do to accurately mirror this?
apt package-management repository mirrors unattended-upgrades
edited Feb 1 at 3:16
Community♦
1
asked Jan 30 at 12:51
ArronicalArronical
13.6k84993
I've created and published a mirror of the Ubuntu repositories for Xenial using aptly. This includes xenial and xenial-updates downloaded from my country specific Ubuntu mirror. I've taken xenial-security from http://security.ubuntu.com. I can use all apt or apt-get update and upgrade commands normally with this mirror to manually upgrade systems.
My issue is that unattended-upgrades with security only updates configured will not register any packages as available to upgrade. Likewise after using apt update, the motd message on login will say something like:
261 packages can be updated.
0 updates are security updates.
If I switch back to the default repositories and run the same command, motd changes to:
261 packages can be updated.
176 updates are security updates.
Running unattended-upgrade --dry-run -d has similar results, plenty of security updates if I use the default mirrors, but none from my local mirror.
Evidently I'm losing whatever marks the packages as security updates in my mirroring process.
How does apt determine that a package update is a security update once the package list has been updated? What do I have to do to accurately mirror this?
apt package-management repository mirrors unattended-upgrades
apt package-management repository mirrors unattended-upgrades
edited Feb 1 at 3:16
Community♦
1
asked Jan 30 at 12:51
ArronicalArronical
13.6k84993
edited Feb 1 at 3:16
Community♦
1
asked Jan 30 at 12:51
ArronicalArronical
13.6k84993
edited Feb 1 at 3:16
Community♦
1
edited Feb 1 at 3:16
Community♦
1
edited Feb 1 at 3:16
Community♦
1
1
asked Jan 30 at 12:51
ArronicalArronical
13.6k84993
asked Jan 30 at 12:51
ArronicalArronical
13.6k84993
asked Jan 30 at 12:51
ArronicalArronical
13.6k84993
13.6k84993
Nothing 'marks' a security update, they simply come from a specific pocket (-security). Passing packages through a local repo (as opposed to a caching proxy) should indeed confuse the motd scripts.
– user535733
Feb 1 at 5:56
@user535733 I've found out that it's due to aptly changing the 'Origin:' field in the InRelease file to match the publishing endpoint. The scripts responsible for updating motd and for determining whether updates are security updates will only accept the origin being 'Ubuntu'. Once I modified the Inrelease file on my mirror the xenial-security pocket was recognised as being a valid source for security updates. I think that belongs in a new question and answer though. It was interesting to note that the motd message is updated immediately after anyapt updatecommand though.
– Arronical
Feb 1 at 9:13
add a comment |
Nothing 'marks' a security update, they simply come from a specific pocket (-security). Passing packages through a local repo (as opposed to a caching proxy) should indeed confuse the motd scripts.
– user535733
Feb 1 at 5:56
@user535733 I've found out that it's due to aptly changing the 'Origin:' field in the InRelease file to match the publishing endpoint. The scripts responsible for updating motd and for determining whether updates are security updates will only accept the origin being 'Ubuntu'. Once I modified the Inrelease file on my mirror the xenial-security pocket was recognised as being a valid source for security updates. I think that belongs in a new question and answer though. It was interesting to note that the motd message is updated immediately after anyapt updatecommand though.
– Arronical
Feb 1 at 9:13
Nothing 'marks' a security update, they simply come from a specific pocket (-security). Passing packages through a local repo (as opposed to a caching proxy) should indeed confuse the motd scripts.
– user535733
Feb 1 at 5:56
Nothing 'marks' a security update, they simply come from a specific pocket (-security). Passing packages through a local repo (as opposed to a caching proxy) should indeed confuse the motd scripts.
– user535733
Feb 1 at 5:56
@user535733 I've found out that it's due to aptly changing the 'Origin:' field in the InRelease file to match the publishing endpoint. The scripts responsible for updating motd and for determining whether updates are security updates will only accept the origin being 'Ubuntu'. Once I modified the Inrelease file on my mirror the xenial-security pocket was recognised as being a valid source for security updates. I think that belongs in a new question and answer though. It was interesting to note that the motd message is updated immediately after any
apt update command though.– Arronical
Feb 1 at 9:13
@user535733 I've found out that it's due to aptly changing the 'Origin:' field in the InRelease file to match the publishing endpoint. The scripts responsible for updating motd and for determining whether updates are security updates will only accept the origin being 'Ubuntu'. Once I modified the Inrelease file on my mirror the xenial-security pocket was recognised as being a valid source for security updates. I think that belongs in a new question and answer though. It was interesting to note that the motd message is updated immediately after any
apt update command though.– Arronical
Feb 1 at 9:13
add a comment |
1 Answer
1
active
oldest
votes
"Security Updates" come from the -security repository. Only the Ubuntu Security Team has permission to upload to that pocket. Apt does not "determine" anything.
Example: Security updates in Xenial are packaged by the Ubuntu Security Team and distributed in the xenial-security pocket.
For your specific case:
1) Ensure that you really have a security repo enabled in sources.list.
2) Don't trust motd's numbers - motd is a a handy reminder feature, but those numbers update only once per day...and you don't know when.
3) Try one of these methods to accurately see if uninstalled security updates are in the -security pocket for your release of Ubuntu.
4) Unattended Upgrades can be really sneaky about upgrades (that's good). Check a week of the U-U history in /var/log/unattended-upgrades to be certain that U-U is not installing security upgrades. If so, time to double-check your sources (see #1).
answered Jan 30 at 13:51
user535733user535733
8,72622943
Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately afterapt update. I have a mirror with thexenial-securitypocket published containing the contents of the official-securitypocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running theunattended upgrade --dry-run -dcommand gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.
– Arronical
Jan 30 at 15:07
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1114104%2fhow-are-package-updates-defined-as-security-updates%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
"Security Updates" come from the -security repository. Only the Ubuntu Security Team has permission to upload to that pocket. Apt does not "determine" anything.
Example: Security updates in Xenial are packaged by the Ubuntu Security Team and distributed in the xenial-security pocket.
For your specific case:
1) Ensure that you really have a security repo enabled in sources.list.
2) Don't trust motd's numbers - motd is a a handy reminder feature, but those numbers update only once per day...and you don't know when.
3) Try one of these methods to accurately see if uninstalled security updates are in the -security pocket for your release of Ubuntu.
4) Unattended Upgrades can be really sneaky about upgrades (that's good). Check a week of the U-U history in /var/log/unattended-upgrades to be certain that U-U is not installing security upgrades. If so, time to double-check your sources (see #1).
answered Jan 30 at 13:51
user535733user535733
8,72622943
Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately afterapt update. I have a mirror with thexenial-securitypocket published containing the contents of the official-securitypocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running theunattended upgrade --dry-run -dcommand gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.
– Arronical
Jan 30 at 15:07
add a comment |
"Security Updates" come from the -security repository. Only the Ubuntu Security Team has permission to upload to that pocket. Apt does not "determine" anything.
Example: Security updates in Xenial are packaged by the Ubuntu Security Team and distributed in the xenial-security pocket.
For your specific case:
1) Ensure that you really have a security repo enabled in sources.list.
2) Don't trust motd's numbers - motd is a a handy reminder feature, but those numbers update only once per day...and you don't know when.
3) Try one of these methods to accurately see if uninstalled security updates are in the -security pocket for your release of Ubuntu.
4) Unattended Upgrades can be really sneaky about upgrades (that's good). Check a week of the U-U history in /var/log/unattended-upgrades to be certain that U-U is not installing security upgrades. If so, time to double-check your sources (see #1).
answered Jan 30 at 13:51
user535733user535733
8,72622943
Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately afterapt update. I have a mirror with thexenial-securitypocket published containing the contents of the official-securitypocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running theunattended upgrade --dry-run -dcommand gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.
– Arronical
Jan 30 at 15:07
add a comment |
"Security Updates" come from the -security repository. Only the Ubuntu Security Team has permission to upload to that pocket. Apt does not "determine" anything.
Example: Security updates in Xenial are packaged by the Ubuntu Security Team and distributed in the xenial-security pocket.
For your specific case:
1) Ensure that you really have a security repo enabled in sources.list.
2) Don't trust motd's numbers - motd is a a handy reminder feature, but those numbers update only once per day...and you don't know when.
3) Try one of these methods to accurately see if uninstalled security updates are in the -security pocket for your release of Ubuntu.
4) Unattended Upgrades can be really sneaky about upgrades (that's good). Check a week of the U-U history in /var/log/unattended-upgrades to be certain that U-U is not installing security upgrades. If so, time to double-check your sources (see #1).
answered Jan 30 at 13:51
user535733user535733
8,72622943
"Security Updates" come from the -security repository. Only the Ubuntu Security Team has permission to upload to that pocket. Apt does not "determine" anything.
Example: Security updates in Xenial are packaged by the Ubuntu Security Team and distributed in the xenial-security pocket.
For your specific case:
1) Ensure that you really have a security repo enabled in sources.list.
2) Don't trust motd's numbers - motd is a a handy reminder feature, but those numbers update only once per day...and you don't know when.
3) Try one of these methods to accurately see if uninstalled security updates are in the -security pocket for your release of Ubuntu.
4) Unattended Upgrades can be really sneaky about upgrades (that's good). Check a week of the U-U history in /var/log/unattended-upgrades to be certain that U-U is not installing security upgrades. If so, time to double-check your sources (see #1).
answered Jan 30 at 13:51
user535733user535733
8,72622943
answered Jan 30 at 13:51
user535733user535733
8,72622943
answered Jan 30 at 13:51
user535733user535733
8,72622943
answered Jan 30 at 13:51
user535733user535733
8,72622943
8,72622943
Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately afterapt update. I have a mirror with thexenial-securitypocket published containing the contents of the official-securitypocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running theunattended upgrade --dry-run -dcommand gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.
– Arronical
Jan 30 at 15:07
add a comment |
Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately afterapt update. I have a mirror with thexenial-securitypocket published containing the contents of the official-securitypocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running theunattended upgrade --dry-run -dcommand gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.
– Arronical
Jan 30 at 15:07
Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately after
apt update. I have a mirror with the xenial-security pocket published containing the contents of the official -security pocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running the unattended upgrade --dry-run -d command gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.– Arronical
Jan 30 at 15:07
Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately after
apt update. I have a mirror with the xenial-security pocket published containing the contents of the official -security pocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running the unattended upgrade --dry-run -d command gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.– Arronical
Jan 30 at 15:07
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1114104%2fhow-are-package-updates-defined-as-security-updates%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Nothing 'marks' a security update, they simply come from a specific pocket (-security). Passing packages through a local repo (as opposed to a caching proxy) should indeed confuse the motd scripts.
– user535733
Feb 1 at 5:56
@user535733 I've found out that it's due to aptly changing the 'Origin:' field in the InRelease file to match the publishing endpoint. The scripts responsible for updating motd and for determining whether updates are security updates will only accept the origin being 'Ubuntu'. Once I modified the Inrelease file on my mirror the xenial-security pocket was recognised as being a valid source for security updates. I think that belongs in a new question and answer though. It was interesting to note that the motd message is updated immediately after any
apt updatecommand though.– Arronical
Feb 1 at 9:13