Bug 40861 - univention-app install accepts unsigned packages
univention-app install accepts unsigned packages
Product: UCS
Classification: Unclassified
Component: App Center
UCS 4.1
Other Linux
: P1 normal (vote)
: UCS 4.1-1-errata
Assigned To: Dirk Wiesenthal
Felix Botner
Depends on:
  Show dependency treegraph
Reported: 2016-03-08 16:15 CET by Dirk Wiesenthal
Modified: 2016-04-13 15:00 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2016-03-08 16:15:25 CET
univention-app seems to not check for unsigned packages. This should be fixed.

To reproduce:
  univention-app install owncloud82=8.2.2
  # add omar:build2 repo, assuming there are unsigned updates
  univention-app upgrade owncloud82
Comment 1 Dirk Wiesenthal univentionstaff 2016-03-27 00:22:28 CET
Fixed in
  univention-appcenter 5.0.20-35.146.201603270006

The apt-get options have been adjusted (compare ucr get update/commands/install).

When reproducing as in Comment 0, the fix seems to be insufficient. It will actually upgrade owncloud82 but then all of a sudden cancel the upgrade because it found unsigned packages.

This special case is indeed a bit unsatisfying. But keep in mind that this should not really affect the App.

Upgrade is done by
  (1) apt-get install $default_packages
  (2) apt-get dist-upgrade

(1) Has to be done to handle possible changes in DefaulPackages between App version.
(2) Has to be done in case only secondary packages in the App repo were updated, not necessarily DefaultPackages (also, DefaultPackages rarely have a strong version dependecy on all secondary packages)

The dist-upgrade is only for the App's repo but of course also upgrades the UCS packages.

When reproducing like this, we are talking about two different repositories, one signed, one not. ownCloud is upgraded correctly - and this is fine. All owncloud packages were signed.

The error in the end is fine, too, as the dist-upgrade failed. But all those packages were not required to get the new version of owncloud working. Unfortunately the error message is owncloud focused, which is wrong here. But as I said, this is a very improbable error.

What this bug fix should prevent is upgrading owncloud when owncloud (or any secondary package that owncloud explicitly requires) is unsigned. This should have been fixed.
Comment 2 Felix Botner univentionstaff 2016-04-06 11:28:32 CEST
OK - app installation
OK - app upgrade with unsigned packages fails
OK - app upgrade

Comment 3 Janek Walkenhorst univentionstaff 2016-04-13 15:00:16 CEST