How are package updates defined as security updates?












2















I've created and published a mirror of the Ubuntu repositories for Xenial using aptly. This includes xenial and xenial-updates downloaded from my country specific Ubuntu mirror. I've taken xenial-security from http://security.ubuntu.com. I can use all apt or apt-get update and upgrade commands normally with this mirror to manually upgrade systems.



My issue is that unattended-upgrades with security only updates configured will not register any packages as available to upgrade. Likewise after using apt update, the motd message on login will say something like:



261 packages can be updated.
0 updates are security updates.


If I switch back to the default repositories and run the same command, motd changes to:



261 packages can be updated.
176 updates are security updates.


Running unattended-upgrade --dry-run -d has similar results, plenty of security updates if I use the default mirrors, but none from my local mirror.



Evidently I'm losing whatever marks the packages as security updates in my mirroring process.



How does apt determine that a package update is a security update once the package list has been updated? What do I have to do to accurately mirror this?










share|improve this question

























  • Nothing 'marks' a security update, they simply come from a specific pocket (-security). Passing packages through a local repo (as opposed to a caching proxy) should indeed confuse the motd scripts.

    – user535733
    Feb 1 at 5:56











  • @user535733 I've found out that it's due to aptly changing the 'Origin:' field in the InRelease file to match the publishing endpoint. The scripts responsible for updating motd and for determining whether updates are security updates will only accept the origin being 'Ubuntu'. Once I modified the Inrelease file on my mirror the xenial-security pocket was recognised as being a valid source for security updates. I think that belongs in a new question and answer though. It was interesting to note that the motd message is updated immediately after any apt update command though.

    – Arronical
    Feb 1 at 9:13
















2















I've created and published a mirror of the Ubuntu repositories for Xenial using aptly. This includes xenial and xenial-updates downloaded from my country specific Ubuntu mirror. I've taken xenial-security from http://security.ubuntu.com. I can use all apt or apt-get update and upgrade commands normally with this mirror to manually upgrade systems.



My issue is that unattended-upgrades with security only updates configured will not register any packages as available to upgrade. Likewise after using apt update, the motd message on login will say something like:



261 packages can be updated.
0 updates are security updates.


If I switch back to the default repositories and run the same command, motd changes to:



261 packages can be updated.
176 updates are security updates.


Running unattended-upgrade --dry-run -d has similar results, plenty of security updates if I use the default mirrors, but none from my local mirror.



Evidently I'm losing whatever marks the packages as security updates in my mirroring process.



How does apt determine that a package update is a security update once the package list has been updated? What do I have to do to accurately mirror this?










share|improve this question

























  • Nothing 'marks' a security update, they simply come from a specific pocket (-security). Passing packages through a local repo (as opposed to a caching proxy) should indeed confuse the motd scripts.

    – user535733
    Feb 1 at 5:56











  • @user535733 I've found out that it's due to aptly changing the 'Origin:' field in the InRelease file to match the publishing endpoint. The scripts responsible for updating motd and for determining whether updates are security updates will only accept the origin being 'Ubuntu'. Once I modified the Inrelease file on my mirror the xenial-security pocket was recognised as being a valid source for security updates. I think that belongs in a new question and answer though. It was interesting to note that the motd message is updated immediately after any apt update command though.

    – Arronical
    Feb 1 at 9:13














2












2








2








I've created and published a mirror of the Ubuntu repositories for Xenial using aptly. This includes xenial and xenial-updates downloaded from my country specific Ubuntu mirror. I've taken xenial-security from http://security.ubuntu.com. I can use all apt or apt-get update and upgrade commands normally with this mirror to manually upgrade systems.



My issue is that unattended-upgrades with security only updates configured will not register any packages as available to upgrade. Likewise after using apt update, the motd message on login will say something like:



261 packages can be updated.
0 updates are security updates.


If I switch back to the default repositories and run the same command, motd changes to:



261 packages can be updated.
176 updates are security updates.


Running unattended-upgrade --dry-run -d has similar results, plenty of security updates if I use the default mirrors, but none from my local mirror.



Evidently I'm losing whatever marks the packages as security updates in my mirroring process.



How does apt determine that a package update is a security update once the package list has been updated? What do I have to do to accurately mirror this?










share|improve this question
















I've created and published a mirror of the Ubuntu repositories for Xenial using aptly. This includes xenial and xenial-updates downloaded from my country specific Ubuntu mirror. I've taken xenial-security from http://security.ubuntu.com. I can use all apt or apt-get update and upgrade commands normally with this mirror to manually upgrade systems.



My issue is that unattended-upgrades with security only updates configured will not register any packages as available to upgrade. Likewise after using apt update, the motd message on login will say something like:



261 packages can be updated.
0 updates are security updates.


If I switch back to the default repositories and run the same command, motd changes to:



261 packages can be updated.
176 updates are security updates.


Running unattended-upgrade --dry-run -d has similar results, plenty of security updates if I use the default mirrors, but none from my local mirror.



Evidently I'm losing whatever marks the packages as security updates in my mirroring process.



How does apt determine that a package update is a security update once the package list has been updated? What do I have to do to accurately mirror this?







apt package-management repository mirrors unattended-upgrades






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 1 at 3:16









Community

1




1










asked Jan 30 at 12:51









ArronicalArronical

13.6k84993




13.6k84993













  • Nothing 'marks' a security update, they simply come from a specific pocket (-security). Passing packages through a local repo (as opposed to a caching proxy) should indeed confuse the motd scripts.

    – user535733
    Feb 1 at 5:56











  • @user535733 I've found out that it's due to aptly changing the 'Origin:' field in the InRelease file to match the publishing endpoint. The scripts responsible for updating motd and for determining whether updates are security updates will only accept the origin being 'Ubuntu'. Once I modified the Inrelease file on my mirror the xenial-security pocket was recognised as being a valid source for security updates. I think that belongs in a new question and answer though. It was interesting to note that the motd message is updated immediately after any apt update command though.

    – Arronical
    Feb 1 at 9:13



















  • Nothing 'marks' a security update, they simply come from a specific pocket (-security). Passing packages through a local repo (as opposed to a caching proxy) should indeed confuse the motd scripts.

    – user535733
    Feb 1 at 5:56











  • @user535733 I've found out that it's due to aptly changing the 'Origin:' field in the InRelease file to match the publishing endpoint. The scripts responsible for updating motd and for determining whether updates are security updates will only accept the origin being 'Ubuntu'. Once I modified the Inrelease file on my mirror the xenial-security pocket was recognised as being a valid source for security updates. I think that belongs in a new question and answer though. It was interesting to note that the motd message is updated immediately after any apt update command though.

    – Arronical
    Feb 1 at 9:13

















Nothing 'marks' a security update, they simply come from a specific pocket (-security). Passing packages through a local repo (as opposed to a caching proxy) should indeed confuse the motd scripts.

– user535733
Feb 1 at 5:56





Nothing 'marks' a security update, they simply come from a specific pocket (-security). Passing packages through a local repo (as opposed to a caching proxy) should indeed confuse the motd scripts.

– user535733
Feb 1 at 5:56













@user535733 I've found out that it's due to aptly changing the 'Origin:' field in the InRelease file to match the publishing endpoint. The scripts responsible for updating motd and for determining whether updates are security updates will only accept the origin being 'Ubuntu'. Once I modified the Inrelease file on my mirror the xenial-security pocket was recognised as being a valid source for security updates. I think that belongs in a new question and answer though. It was interesting to note that the motd message is updated immediately after any apt update command though.

– Arronical
Feb 1 at 9:13





@user535733 I've found out that it's due to aptly changing the 'Origin:' field in the InRelease file to match the publishing endpoint. The scripts responsible for updating motd and for determining whether updates are security updates will only accept the origin being 'Ubuntu'. Once I modified the Inrelease file on my mirror the xenial-security pocket was recognised as being a valid source for security updates. I think that belongs in a new question and answer though. It was interesting to note that the motd message is updated immediately after any apt update command though.

– Arronical
Feb 1 at 9:13










1 Answer
1






active

oldest

votes


















1














"Security Updates" come from the -security repository. Only the Ubuntu Security Team has permission to upload to that pocket. Apt does not "determine" anything.



Example: Security updates in Xenial are packaged by the Ubuntu Security Team and distributed in the xenial-security pocket.



For your specific case:



1) Ensure that you really have a security repo enabled in sources.list.



2) Don't trust motd's numbers - motd is a a handy reminder feature, but those numbers update only once per day...and you don't know when.



3) Try one of these methods to accurately see if uninstalled security updates are in the -security pocket for your release of Ubuntu.



4) Unattended Upgrades can be really sneaky about upgrades (that's good). Check a week of the U-U history in /var/log/unattended-upgrades to be certain that U-U is not installing security upgrades. If so, time to double-check your sources (see #1).






share|improve this answer
























  • Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately after apt update. I have a mirror with the xenial-security pocket published containing the contents of the official -security pocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running the unattended upgrade --dry-run -d command gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.

    – Arronical
    Jan 30 at 15:07











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1114104%2fhow-are-package-updates-defined-as-security-updates%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














"Security Updates" come from the -security repository. Only the Ubuntu Security Team has permission to upload to that pocket. Apt does not "determine" anything.



Example: Security updates in Xenial are packaged by the Ubuntu Security Team and distributed in the xenial-security pocket.



For your specific case:



1) Ensure that you really have a security repo enabled in sources.list.



2) Don't trust motd's numbers - motd is a a handy reminder feature, but those numbers update only once per day...and you don't know when.



3) Try one of these methods to accurately see if uninstalled security updates are in the -security pocket for your release of Ubuntu.



4) Unattended Upgrades can be really sneaky about upgrades (that's good). Check a week of the U-U history in /var/log/unattended-upgrades to be certain that U-U is not installing security upgrades. If so, time to double-check your sources (see #1).






share|improve this answer
























  • Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately after apt update. I have a mirror with the xenial-security pocket published containing the contents of the official -security pocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running the unattended upgrade --dry-run -d command gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.

    – Arronical
    Jan 30 at 15:07
















1














"Security Updates" come from the -security repository. Only the Ubuntu Security Team has permission to upload to that pocket. Apt does not "determine" anything.



Example: Security updates in Xenial are packaged by the Ubuntu Security Team and distributed in the xenial-security pocket.



For your specific case:



1) Ensure that you really have a security repo enabled in sources.list.



2) Don't trust motd's numbers - motd is a a handy reminder feature, but those numbers update only once per day...and you don't know when.



3) Try one of these methods to accurately see if uninstalled security updates are in the -security pocket for your release of Ubuntu.



4) Unattended Upgrades can be really sneaky about upgrades (that's good). Check a week of the U-U history in /var/log/unattended-upgrades to be certain that U-U is not installing security upgrades. If so, time to double-check your sources (see #1).






share|improve this answer
























  • Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately after apt update. I have a mirror with the xenial-security pocket published containing the contents of the official -security pocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running the unattended upgrade --dry-run -d command gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.

    – Arronical
    Jan 30 at 15:07














1












1








1







"Security Updates" come from the -security repository. Only the Ubuntu Security Team has permission to upload to that pocket. Apt does not "determine" anything.



Example: Security updates in Xenial are packaged by the Ubuntu Security Team and distributed in the xenial-security pocket.



For your specific case:



1) Ensure that you really have a security repo enabled in sources.list.



2) Don't trust motd's numbers - motd is a a handy reminder feature, but those numbers update only once per day...and you don't know when.



3) Try one of these methods to accurately see if uninstalled security updates are in the -security pocket for your release of Ubuntu.



4) Unattended Upgrades can be really sneaky about upgrades (that's good). Check a week of the U-U history in /var/log/unattended-upgrades to be certain that U-U is not installing security upgrades. If so, time to double-check your sources (see #1).






share|improve this answer













"Security Updates" come from the -security repository. Only the Ubuntu Security Team has permission to upload to that pocket. Apt does not "determine" anything.



Example: Security updates in Xenial are packaged by the Ubuntu Security Team and distributed in the xenial-security pocket.



For your specific case:



1) Ensure that you really have a security repo enabled in sources.list.



2) Don't trust motd's numbers - motd is a a handy reminder feature, but those numbers update only once per day...and you don't know when.



3) Try one of these methods to accurately see if uninstalled security updates are in the -security pocket for your release of Ubuntu.



4) Unattended Upgrades can be really sneaky about upgrades (that's good). Check a week of the U-U history in /var/log/unattended-upgrades to be certain that U-U is not installing security upgrades. If so, time to double-check your sources (see #1).







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 30 at 13:51









user535733user535733

8,67122943




8,67122943













  • Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately after apt update. I have a mirror with the xenial-security pocket published containing the contents of the official -security pocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running the unattended upgrade --dry-run -d command gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.

    – Arronical
    Jan 30 at 15:07



















  • Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately after apt update. I have a mirror with the xenial-security pocket published containing the contents of the official -security pocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running the unattended upgrade --dry-run -d command gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.

    – Arronical
    Jan 30 at 15:07

















Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately after apt update. I have a mirror with the xenial-security pocket published containing the contents of the official -security pocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running the unattended upgrade --dry-run -d command gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.

– Arronical
Jan 30 at 15:07





Thanks for the answer but this doesn't match what I'm seeing. Motd is updated immediately after apt update. I have a mirror with the xenial-security pocket published containing the contents of the official -security pocket. I'm pretty up to speed with the unattended-upgrades log, definitely nothing in there. Also running the unattended upgrade --dry-run -d command gives much more verbose output, showing the exact same package version being checked for both sources, but the local repo version not needing to be updated as a security concern.

– Arronical
Jan 30 at 15:07


















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1114104%2fhow-are-package-updates-defined-as-security-updates%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Human spaceflight

Can not write log (Is /dev/pts mounted?) - openpty in Ubuntu-on-Windows?

張江高科駅