Univention Bugzilla – Bug 56157
remove "maintained" repository path detection from univention-list-installed-unmaintained-packages
Last modified: 2023-06-19 15:13:44 CEST
univention-list-installed-unmaintained-packages relies internally on the repository structure and "trusts" the repository server that packages in a folder "maintained" are under maintenance by Univention. If operators decide to host their local repository server they are free to add any package to a "maintenance" folder, so the script doesn't detect them as "not maintained by Univention". I propose the script should print a WARN message in case the repository server is not the Univention default.
INVALID: In UCS 5.0 `univention-list-installed-unmaintained-packages` uses a list of "maintained packages" from "/usr/share/univention-errata-level/maintained-packages.txt" shipped as part of "univention-errata-level". This changed for UCS 5.0-0 as all packages live in "pool/" and we no longer have two "[un]maintained" repositories.
REOPEN: I had the problem on a customer environment running 5.0-3 On that instance the code still checks for "maintained". And a customer has done what I described (running his own "maintained" repor), and the customer specific packages are not listed as "unmaintained".
My statement is true for "core UCS". The logic was implemented for Bug #52833 which asked for "maintained components" to get exempted. Currently there is no generic mechanism for components to add additional list of packages to be considered maintained (by Univention). We could convert /usr/share/univention-errata-level/maintained-packages.txt into a directory, where our(!) components can put additional lists. Do we also need to cryptographic sign them prevent users from lying about the "maintained" status?
My intention here is not to enhance the tool to add more "sources of maintenance" but our own. The problem here is: If a customer decides to build his own repository using the keyword "maintance" as path on the repository server, the tool asumes everything is maintained (by Univention). Thats wrong. I learned from comment #2 that the path isn't needed anymore to distinguish between "maintained" and "unmaintained", so we can simply remove that. I changed the bug title to reflect that. In ./base/univention-updater/modules/univention/updater/scripts/list_installed_unmaintained_packages.py we can simplify "get_installed_packages" and remove the "from_maintained_repo" set: def get_installed_packages() -> Tuple[Set[str], Set[str]]: cache = apt.Cache() installed_packages = set() from_maintained_repo = set() for package in cache: if cache[package.name].is_installed: installed_packages.add(package.name) # maintained components if next((True for i in package.candidate.uris if '/maintained/component/' in i), False): # TODO also test package.candidate.origins # [<Origin component:'' archive:'' origin:'Univention' label:'Univention' site:'appcenter.software-univention.de' isTrusted:True>, # <Origin component:'now' archive:'now' origin:'' label:'' site:'' isTrusted:False>] # e.g. site is appcenter.software-univention.de or service.univention.de, or isTrusted is True from_maintained_repo.add(package.name) return installed_packages, from_maintained_repo