54756 – APT pinning during UCS@school 4.4→5.0 update required?

Bug 54756 - APT pinning during UCS@school 4.4→5.0 update required?

Summary: APT pinning during UCS@school 4.4→5.0 update required?

Status:	CLOSED FIXED

Alias:	None

Product:	UCS@school
Classification:	Unclassified
Component:	General
Version:	UCS@school 5.0
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS@school 5.0 v1
Assignee:	Felix Botner
QA Contact:	Jürn Brodersen

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-05-13 17:25 CEST by Sönke Schwardt-Krummrich
Modified:	2023-03-20 18:39 CET (History)
CC List:	6 users (show)

See Also:	53782
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	4: Will affect most installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.411
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2022-05-13 17:25:53 CEST

Via bug 53782 an APT pinning via preup.sh and postup.sh for UCS@school 5.0v1 was set up to deliver certain packages in a newer version in case UCS@school is installed
(→ please first read bug 53782 for the reasons!).

The mechanism implemented there worked for the TEST appcenter. The release file stored there matched the APT pinning.
On omar, however, the Release file is automatically regenerated when

  ./copy_from_appcenter.test.sh 5.0 ucsschool_20201208103021

is called and then the file contains a different "Label" entry, which no longer matches the pinning (see diff below).

In addition, the Release file contains a (wrong) checksum for itself → is this a problem?

--- appcenter.test/univention-repository/5.0/maintained/component/ucsschool_20201208103021/all/Release  2022-05-13 10:32:26.330167257 +0200
+++ appcenter/univention-repository/5.0/maintained/component/ucsschool_20201208103021/all/Release       2022-05-13 13:58:52.706936124 +0200
@@ -1,26 +1,21 @@
 Codename: ucsschool_20201208103021/all
-Date: Fri, 13 May 2022 08:32:26 +0000
-Label: ucs@school
+Date: Fri, 13 May 2022 11:58:52 +0000
+Label: Univention
 Origin: Univention
-Suite: apt
 Version: ucsschool_20201208103021
 MD5Sum:
- fbb0b869fd8306f3b3a2335585707b8d           182813 Packages
- dc58cec6b230def9e1226d8e22d8b17a            33698 Packages.bz2
- de1778e268e62b92dfe03ceaa0ebc0c3            43739 Packages.gz
- 4f242ed517a20bbe686a6ebed1286b8f              159 Release
+ 94621c9716b74e80cff988a00e9b6bb4           182813 Packages
+ df6dbf087611954fee2dc65cc24cfb70            33721 Packages.bz2
+ 4fda26b1064356bf8f0997a86200168c            40110 Packages.gz
[...]

So the release of UCS@school 5.0v1 has effectively taken place WITHOUT the intended APT pinning. Changing the label in the release file after the fact causes apt-get on the existing UCS@school 5.0 systems to want to manually confirm the change for security reasons:

E: Repository 'https://appcenter.software-univention.de/univention-repository/5.0/maintained/component ucsschool_20201208103021/all/ Release' changed its 'Label' value from 'Univention' to 'ucs@school'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.
E: Repository 'https://appcenter.software-univention.de/univention-repository/5.0/maintained/component ucsschool_20201208103021/amd64/ Release' changed its 'Label' value from 'Univention' to 'ucs@school'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.

Do we have a serious problem here? 
Or are the bugs fixed automatically by installing the errata updates afterwards?

Comment 2 Ingo Steuwer

2022-07-11 08:20:58 CEST

Any new insights here, is this an issue relevant in production?

Comment 3 Erik Damrose

2022-07-14 10:56:40 CEST

With the kopano app, we are doing the pinning a bit differently, maybe this also helps for the school update.

https://appcenter-test.software-univention.de/univention-repository/5.0/maintained/component/kopano-core_20220630105644/all/preup.sh

Comment 4 Jan-Luca Kiok

2023-03-20 14:14:59 CET

Asked for clarification if the issue is still relevant.

Comment 5 Jürn Brodersen

2023-03-20 18:34:15 CET

Looks fixed to me:
https://git.knut.univention.de/univention/ucsschool/-/commit/7444f2806ccb8a0f0745fb6c3688e8a73f02b1f7
https://git.knut.univention.de/univention/ucsschool/-/commit/304233c10c1664cf620cdba08f30a401a5bca6f6

Comment 6 Jürn Brodersen

2023-03-20 18:38:20 CET

Lets close with here:

What I checked
preup.sh test-appcenter -> OK 
https://appcenter-test.software-univention.de/univention-repository/5.0/maintained/component/ucsschool_20201208103021/all/preup.sh

preup.sh appcenter -> OK
https://appcenter.software-univention.de/univention-repository/5.0/maintained/component/ucsschool_20201208103021/all/preup.sh

Signature preup.sh appcenter -> OK
gpg --keyring /etc/apt/trusted.gpg.d/univention-archive-key-ucs-5x.gpg  --verify preup.sh.gpg preup.sh

preup.sh itself -> OK
`bash preup.sh post 5.0-0`
`apt policy `
```
Package files:
 100 /var/lib/dpkg/status
     release a=now
1002 https://appcenter.software-univention.de/univention-repository/5.0/maintained/component ucsschool_20201208103021/amd64/ Packages
     release v=ucsschool_20201208103021,o=Univention,n=ucsschool_20201208103021/amd64,l=Univention,c=
     origin appcenter.software-univention.de
1002 https://appcenter.software-univention.de/univention-repository/5.0/maintained/component ucsschool_20201208103021/all/ Packages
     release v=ucsschool_20201208103021,o=Univention,n=ucsschool_20201208103021/all,l=Univention,c=
     origin appcenter.software-univention.de
 500 http://updates.knut.univention.de errata502/main amd64 Packages
     release v=5.0.2-errata,o=Univention,a=errata502,n=errata502,l=Univention Corporate Server,c=main,b=amd64
     origin updates.knut.univention.de
 500 http://updates.knut.univention.de ucs502/main amd64 Packages
     release v=5.0.2,o=Univention,a=ucs502,n=ucs502,l=Univention Corporate Server,c=main,b=amd64
     origin updates.knut.univention.de
Pinned packages:
```

Looks good to me -> Verified

Comment 7 Jürn Brodersen

2023-03-20 18:39:34 CET

Already uploaded to the appcenter -> Close

If this error occurs again, please clone this bug.