Bug 56157 – remove "maintained" repository path detection from univention-list-installed-unmaintained-packages

Bug 56157 - remove "maintained" repository path detection from univention-list-installed-unmaintained-packages


Summary:	remove "maintained" repository path detection from univention-list-installed-...

Status:	REOPENED

Product:	UCS
Classification:	Unclassified
Component:	Update - univention-updater
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:	52833
Blocks:
	Show dependency tree / graph

Reported:	2023-06-19 13:06 CEST by Ingo Steuwer
Modified:	2023-06-19 15:13 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.011
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ingo Steuwer

2023-06-19 13:06:15 CEST

univention-list-installed-unmaintained-packages relies internally on the repository structure and "trusts" the repository server that packages in a folder "maintained" are under maintenance by Univention.

If operators decide to host their local repository server they are free to add any package to a "maintenance" folder, so the script doesn't detect them as "not maintained by Univention". 

I propose the script should print a WARN message in case the repository server is not the Univention default.

Comment 1 Philipp Hahn

2023-06-19 14:00:29 CEST

INVALID: In UCS 5.0 `univention-list-installed-unmaintained-packages` uses a list of "maintained packages" from "/usr/share/univention-errata-level/maintained-packages.txt" shipped as part of "univention-errata-level". This changed for UCS 5.0-0 as all packages live in "pool/" and we no longer have two "[un]maintained" repositories.

Comment 2 Ingo Steuwer

2023-06-19 14:09:09 CEST

REOPEN:

I had the problem on a customer environment running 5.0-3

On that instance the code still checks for "maintained". And a customer has done what I described (running his own "maintained" repor), and the customer specific packages are not listed as "unmaintained".

Comment 3 Philipp Hahn

2023-06-19 14:56:46 CEST

My statement is true for "core UCS". The logic was implemented for Bug #52833 which asked for "maintained components" to get exempted.

Currently there is no generic mechanism for components to add additional list of packages to be considered maintained (by Univention).

We could convert /usr/share/univention-errata-level/maintained-packages.txt into a directory, where our(!) components can put additional lists.
Do we also need to cryptographic sign them prevent users from lying about the "maintained" status?

Comment 4 Ingo Steuwer

2023-06-19 15:13:44 CEST

My intention here is not to enhance the tool to add more "sources of maintenance" but our own.

The problem here is: If a customer decides to build his own repository using the keyword "maintance" as path on the repository server, the tool asumes everything is maintained (by Univention). Thats wrong.

I learned from comment #2 that the path isn't needed anymore to distinguish between "maintained" and "unmaintained", so we can simply remove that. I changed the bug title to reflect that.

In ./base/univention-updater/modules/univention/updater/scripts/list_installed_unmaintained_packages.py we can simplify "get_installed_packages" and remove the "from_maintained_repo" set:

def get_installed_packages() -> Tuple[Set[str], Set[str]]:
    cache = apt.Cache()
    installed_packages = set()
    from_maintained_repo = set()
    for package in cache:
        if cache[package.name].is_installed:
            installed_packages.add(package.name)
            # maintained components
            if next((True for i in package.candidate.uris if '/maintained/component/' in i), False):
                # TODO also test package.candidate.origins
                #  [<Origin component:'' archive:'' origin:'Univention' label:'Univention' site:'appcenter.software-univention.de' isTrusted:True>,
                #   <Origin component:'now' archive:'now' origin:'' label:'' site:'' isTrusted:False>]
                # e.g. site is appcenter.software-univention.de or service.univention.de, or isTrusted is True
                from_maintained_repo.add(package.name)
    return installed_packages, from_maintained_repo