Univention Bugzilla – Bug 52482
Release management: due to sec updates univention-errata-level from current version in old version
Last modified: 2020-12-11 14:46:22 CET
For sec updates (for old releases, lets say 4.4-3) we currently also copy the univention-errata-package package from the current release (4.4-4) to the old release. We now end up with a system UCS: 4.4-3 errata587 But not all errata updates up to this point (587) are installed, e.g. 2020-04-22_533_univention-appcenter.yaml is only released in errata4.4-4. Now i update my system to 4.4-4 via UMC, unfortunately this update does not include the errata4.4-4 packages. Now i'm on UCS: 4.4-4 errata587, but again lot of errata updates are missing (e.g. univention-appcenter) This situation can at least be a problem for Apps with the "SupportedUcsVersions" parameter. Normally this SupportedUcsVersions = 4.4-4 errata548 would prevent the installation of the app if the erratum 2020-04-22_533_univention-appcenter.yaml is not installed. But due to this problem we are already at 4.4-4 errata587 (but without the actual packages), the appcenter thinks SupportedUcsVersions is fine, installs the app and throws an error like Bug #51432.
What could we do? * Do not copy the current univention-errata-package to the old release * Install the new version (4.4-4) and all the errata (errata4.4-4 in one step) * ...?
(In reply to Felix Botner from comment #0) > For sec updates (for old releases, lets say 4.4-3) we currently also copy > the univention-errata-package package from the current release (4.4-4) to > the old release. > > > We now end up with a system > > UCS: 4.4-3 errata587 > > But not all errata updates up to this point (587) are installed, e.g. > 2020-04-22_533_univention-appcenter.yaml is only released in errata4.4-4. > > Now i update my system to 4.4-4 via UMC, unfortunately this update does not > include the errata4.4-4 packages. Why is errata4.4-4 not enabled and updated to? It should be! The CLI `univention-upgrade` does this correctly: 1. install pending package updates, which include errata updates until all done 2. install App updates and restart with 1. 3. install release updates and restart with 1. But UMC does things differently and on its own, which is "the bug".
> Why is errata4.4-4 not enabled and updated to? It should be! Of course it is enabled but... > But UMC does things differently and on its own, which is "the bug". Not quite differently.. in UMC you select to update to Release 4.4-4, you then see the option to install available errata updates (or update to a later release if its available). On the CLI you also update to 4.4-4 first and then have to confirm that errata and app updates should be installed. We could discuss if available errata updates should be immediately installed after a release update. In our release notes there is an extra section about steps to do after a new release is installed, e.g. run join scripts. Just installing everything without a stop in between may not always be the best solution, though it may help with this particular problem.
(In reply to Philipp Hahn from comment #2) > (In reply to Felix Botner from comment #0) > > For sec updates (for old releases, lets say 4.4-3) we currently also copy > > the univention-errata-package package from the current release (4.4-4) to > > the old release. > > > > > > We now end up with a system > > > > UCS: 4.4-3 errata587 > > > > But not all errata updates up to this point (587) are installed, e.g. > > 2020-04-22_533_univention-appcenter.yaml is only released in errata4.4-4. > > > > Now i update my system to 4.4-4 via UMC, unfortunately this update does not > > include the errata4.4-4 packages. > > Why is errata4.4-4 not enabled and updated to? It should be! > > The CLI `univention-upgrade` does this correctly: > 1. install pending package updates, which include errata updates until all > done > 2. install App updates and restart with 1. > 3. install release updates and restart with 1. > > But UMC does things differently and on its own, which is "the bug". Yes, that could be a solution for the UCS: 4.4-4 errata587 (and not all errata packages are installed) Problem But what is with UCS: 4.4-3 errata587 What is that supposed to mean? Currently it means 4.4-3 with some of the packages up to errata587, is that helpful? Or in other words, why do we copy univention-errata-level from the current to the old release?
(In reply to Felix Botner from comment #4) > But what is with > > UCS: 4.4-3 errata587 > > What is that supposed to mean? > Currently it means 4.4-3 with some of the packages up to errata587, is that > helpful? errata-level is per "major.minor", NOT per "patchlevel". So yes, 4.4-3+e587 equals 4.4-3 + SOME errata from later releases, but not continuously as 4.4-3 ONLY received the security updates from Debian, but NOT the feature updates from errata4.4-4. > Or in other words, why do we copy univention-errata-level from the > current to the old release? 4.4-3 also should have an updated errata level because is no longer is "plain 4.4-3" (plus latest errata before the release of 4.4-4). But all later errata "numbers" are already taken by "4.4-4", so there is no hole left to be filled with security updates for 4.4-4, which also get announced for 4.4-3 during the 6 week overlap. <https://errata.software-univention.de/#/?version=4.4-3&version=4.4-4> 4.4-3+eXXX -> 4.4-3+e499 -> 4.4-3+e50[012] -> 4.4-3+e522 -> ... -> 4.4-4+e40[012] -> 4.4-4+e503…521 -> 4.4-4+e522 -> ... IMHO is is never a good idea to just stop after a patch-level update - always install the corresponding errata to. Why should on ever stop at a known "broken" state? We release those errata for a reason...