apt.sh includes stats about packages that aren't even installed
kyrofa opened this issue · 3 comments
I have an alert setup to notify me if any of my machines are failing to install security updates. Today I'm getting alerts for a machine that actually has no security updates available:
$ apt list --upgradable
Listing... Done
apport/focal-updates 2.20.11-0ubuntu27.14 all [upgradable from: 2.20.11-0ubuntu27.13]
cloud-init/focal-updates 20.4.1-0ubuntu1~20.04.1 all [upgradable from: 20.3-2-g371b392c-0ubuntu1~20.04.1]
libasound2-data/focal-updates 1.2.2-2.1ubuntu2.3 all [upgradable from: 1.2.2-2.1ubuntu2.2]
libasound2/focal-updates 1.2.2-2.1ubuntu2.3 amd64 [upgradable from: 1.2.2-2.1ubuntu2.2]
libdrm-common/focal-updates 2.4.102-1ubuntu1~20.04.1 all [upgradable from: 2.4.101-2]
libdrm2/focal-updates 2.4.102-1ubuntu1~20.04.1 amd64 [upgradable from: 2.4.101-2]
libnetplan0/focal-updates 0.101-0ubuntu3~20.04.2 amd64 [upgradable from: 0.100-0ubuntu4~20.04.3]
libnss-systemd/focal-updates 245.4-4ubuntu3.4 amd64 [upgradable from: 245.4-4ubuntu3.3]
libpam-systemd/focal-updates 245.4-4ubuntu3.4 amd64 [upgradable from: 245.4-4ubuntu3.3]
libsystemd0/focal-updates 245.4-4ubuntu3.4 amd64 [upgradable from: 245.4-4ubuntu3.3]
libudev1/focal-updates 245.4-4ubuntu3.4 amd64 [upgradable from: 245.4-4ubuntu3.3]
lsof/focal-updates 4.93.2+dfsg-1ubuntu0.20.04.1 amd64 [upgradable from: 4.93.2+dfsg-1]
netplan.io/focal-updates 0.101-0ubuntu3~20.04.2 amd64 [upgradable from: 0.100-0ubuntu4~20.04.3]
python3-apport/focal-updates 2.20.11-0ubuntu27.14 all [upgradable from: 2.20.11-0ubuntu27.13]
python3-problem-report/focal-updates 2.20.11-0ubuntu27.14 all [upgradable from: 2.20.11-0ubuntu27.13]
sosreport/focal-updates 4.0-1~ubuntu0.20.04.3 amd64 [upgradable from: 4.0-1~ubuntu0.20.04.2]
systemd-sysv/focal-updates 245.4-4ubuntu3.4 amd64 [upgradable from: 245.4-4ubuntu3.3]
systemd-timesyncd/focal-updates 245.4-4ubuntu3.4 amd64 [upgradable from: 245.4-4ubuntu3.3]
systemd/focal-updates 245.4-4ubuntu3.4 amd64 [upgradable from: 245.4-4ubuntu3.3]
udev/focal-updates 245.4-4ubuntu3.4 amd64 [upgradable from: 245.4-4ubuntu3.3]
update-notifier-common/focal-updates 3.192.30.4 all [upgradable from: 3.192.30]
I found this very confusing until I looked closer at apt.sh and realized it was using apt-get --just-print dist-upgrade to extract its information. I checked the output of that command, and there is indeed something coming from -security:
$ apt-get --just-print dist-upgrade
NOTE: This is only a simulation!
apt-get needs root privileges for real execution.
Keep also in mind that locking is deactivated,
so don't depend on the relevance to the real current situation!
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
libfreetype6
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
alsa-utils libatopology2 libfftw3-single3 libgomp1 libpciaccess0 libsamplerate0 python3-xkit ubuntu-drivers-common
The following packages will be upgraded:
apport cloud-init libasound2 libasound2-data libdrm-common libdrm2 libnetplan0 libnss-systemd libpam-systemd libsystemd0 libudev1 lsof
netplan.io python3-apport python3-problem-report sosreport systemd systemd-sysv systemd-timesyncd udev update-notifier-common
21 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.
<snip>
Inst libgomp1 (10.2.0-5ubuntu1~20.04 Ubuntu:20.04/focal-updates, Ubuntu:20.04/focal-security [amd64])
<snip>
Conf libgomp1 (10.2.0-5ubuntu1~20.04 Ubuntu:20.04/focal-updates, Ubuntu:20.04/focal-security [amd64])
<snip>
However, take a closer look at that output:
The following NEW packages will be installed:
alsa-utils libatopology2 libfftw3-single3 libgomp1 libpciaccess0 libsamplerate0 python3-xkit ubuntu-drivers-common
Which means this isn't actually a security update at all-- libgomp1 isn't even installed. It's a new dependency added by something that isn't a security update, and thus will not be installed (because my production instances only install security updates automatically).
This makes me think that apt-get --just-print dist-upgrade isn't the right tool for the job. Thoughts?
How would people feel about my rewriting this script using the apt python API?
There was a python script that was part of ubuntu's package update-notifier-common package, perhaps you would like to re-use that, or base what you do on that?