Quantcast

Advice needed: update-manager in wheezy considered dangerous

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Advice needed: update-manager in wheezy considered dangerous

Julian Andres Klode-4
Dear release team, I report this problem as we have switched our package management
stack in wheezy from update-manager and other components to PackageKit. Those
old components are still in wheezy however, and especially update-manager can
be considered to be horribly dangerous: It might break systems or contain extreme
security issues as it has not seen someone really care about it since 2 years.

We cannot simply remove update-manager however, as there are reverse
dependencies. The most important ones appear to be:

  * upgrade-system
  * update-notifier

We could simply drop upgrade-system from testing. For update-notifier, we cannot
do this, as update-notifier-kde depends on update-notifier-common, and there are
no other notifiers for KDE AFAIK. I could however upload an empty update-notifier
package (for GNOME) that switches the user to the PackageKit notifier, thus
removing that reverse dependency.

Summary of the proposed solution:
        1. Remove upgrade-system from testing
        2. Replace update-notifier binary package with a package transitioning
           users to gnome-packagekit
        3. Remove update-manager from testing or transition users to PackageKit

Please let me know what you think, and if I missed something.

PS: Yes, I know that we're late in freeze, but I feel that we should not have
that package in a stable release.

PPS: Please keep me CCed (and maybe pkg-gnome-maintainers as well)
--
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

attachment0 (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Michael Gilbert-6
On Mon, Mar 11, 2013 at 7:42 PM, Julian Andres Klode  wrote:
> Dear release team, I report this problem as we have switched our package management
> stack in wheezy from update-manager and other components to PackageKit. Those
> old components are still in wheezy however, and especially update-manager can
> be considered to be horribly dangerous: It might break systems or contain extreme
> security issues as it has not seen someone really care about it since 2 years.

In my opinion, it is really way too late for this.  If you want to
discourage people from using update-manager in wheezy, a patch to the
release notes would be most helpful.  Otherwise, let's not waste time
on a rather disruptive change when it can wait till the start of
jessie.

Best wishes
Mike


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/CANTw=MPS-ohh04ODfe42JfLYUDaEHWP+CAeUADHT9qzwb9Ozmw@...

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Julian Andres Klode-4
On Mon, Mar 11, 2013 at 07:52:24PM -0400, Michael Gilbert wrote:

> On Mon, Mar 11, 2013 at 7:42 PM, Julian Andres Klode  wrote:
> > Dear release team, I report this problem as we have switched our package management
> > stack in wheezy from update-manager and other components to PackageKit. Those
> > old components are still in wheezy however, and especially update-manager can
> > be considered to be horribly dangerous: It might break systems or contain extreme
> > security issues as it has not seen someone really care about it since 2 years.
>
> In my opinion, it is really way too late for this.  If you want to
> discourage people from using update-manager in wheezy, a patch to the
> release notes would be most helpful.  Otherwise, let's not waste time
> on a rather disruptive change when it can wait till the start of
> jessie.

This seems like a much better idea, yes. I just hope enough people
read those.

--
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20130312005949.GA23298@...

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Russ Allbery-2
Julian Andres Klode <[hidden email]> writes:
> On Mon, Mar 11, 2013 at 07:52:24PM -0400, Michael Gilbert wrote:

>> In my opinion, it is really way too late for this.  If you want to
>> discourage people from using update-manager in wheezy, a patch to the
>> release notes would be most helpful.  Otherwise, let's not waste time
>> on a rather disruptive change when it can wait till the start of
>> jessie.

> This seems like a much better idea, yes. I just hope enough people
> read those.

In this particular upgrade, I think there's some possibility (depending on
whether we can track down all the odd dependency loops or not) that people
who don't read the release notes are going to get the infamous "could not
perform immediate configuration" error from apt.  So chances may be higher
this upgrade than many.  :)

--
Russ Allbery ([hidden email])               <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/87zjy9jx7o.fsf@...

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Julian Andres Klode-4
In reply to this post by Julian Andres Klode-4
On Tue, Mar 12, 2013 at 01:04:25AM +0100, Julian Andres Klode wrote:

> On Mon, Mar 11, 2013 at 07:52:24PM -0400, Michael Gilbert wrote:
> > On Mon, Mar 11, 2013 at 7:42 PM, Julian Andres Klode  wrote:
> > > Dear release team, I report this problem as we have switched our package management
> > > stack in wheezy from update-manager and other components to PackageKit. Those
> > > old components are still in wheezy however, and especially update-manager can
> > > be considered to be horribly dangerous: It might break systems or contain extreme
> > > security issues as it has not seen someone really care about it since 2 years.
> >
> > In my opinion, it is really way too late for this.  If you want to
> > discourage people from using update-manager in wheezy, a patch to the
> > release notes would be most helpful.  Otherwise, let's not waste time
> > on a rather disruptive change when it can wait till the start of
> > jessie.
>
> This seems like a much better idea, yes. I just hope enough people
> read those.

Thinking further, it might also make sense to add a warning to the
description of the update-manager packages as well; to prevent
new installations.

--
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20130312011250.GA23298@...

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Martin-Éric Racine
In reply to this post by Julian Andres Klode-4
2013/3/12 Julian Andres Klode <[hidden email]>:

> Dear release team, I report this problem as we have switched our package management
> stack in wheezy from update-manager and other components to PackageKit. Those
> old components are still in wheezy however, and especially update-manager can
> be considered to be horribly dangerous: It might break systems or contain extreme
> security issues as it has not seen someone really care about it since 2 years.
>
> We cannot simply remove update-manager however, as there are reverse
> dependencies. The most important ones appear to be:
>
>   * upgrade-system
>   * update-notifier
>
> We could simply drop upgrade-system from testing. For update-notifier, we cannot
> do this, as update-notifier-kde depends on update-notifier-common, and there are
> no other notifiers for KDE AFAIK. I could however upload an empty update-notifier
> package (for GNOME) that switches the user to the PackageKit notifier, thus
> removing that reverse dependency.
>
> Summary of the proposed solution:
>         1. Remove upgrade-system from testing

I really don't see the point in removing upgrade-system from Testing,
since the dependency relationship is merely a Suggests.

Martin-Éric


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/CAPZXPQdVB=9wSowbwZrLjimVbTfqOm8pESFDyVWMYo1CrP0iLQ@...

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Sune Vuorela-2
In reply to this post by Julian Andres Klode-4
On 2013-03-11, Julian Andres Klode <[hidden email]> wrote:
> We could simply drop upgrade-system from testing. For update-notifier, we c=
> annot
> do this, as update-notifier-kde depends on update-notifier-common, and ther=
> e are

With the entry of apper, u-n-k can go.

/Sune


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/slrnkjtpaj.me.nospam@...

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Julian Andres Klode-4
In reply to this post by Martin-Éric Racine
On Tue, Mar 12, 2013 at 06:59:01AM +0200, Martin-Éric Racine wrote:

> 2013/3/12 Julian Andres Klode <[hidden email]>:
> > Dear release team, I report this problem as we have switched our package management
> > stack in wheezy from update-manager and other components to PackageKit. Those
> > old components are still in wheezy however, and especially update-manager can
> > be considered to be horribly dangerous: It might break systems or contain extreme
> > security issues as it has not seen someone really care about it since 2 years.
> >
> > We cannot simply remove update-manager however, as there are reverse
> > dependencies. The most important ones appear to be:
> >
> >   * upgrade-system
> >   * update-notifier
> >
> > We could simply drop upgrade-system from testing. For update-notifier, we cannot
> > do this, as update-notifier-kde depends on update-notifier-common, and there are
> > no other notifiers for KDE AFAIK. I could however upload an empty update-notifier
> > package (for GNOME) that switches the user to the PackageKit notifier, thus
> > removing that reverse dependency.
> >
> > Summary of the proposed solution:
> >         1. Remove upgrade-system from testing
>
> I really don't see the point in removing upgrade-system from Testing,
> since the dependency relationship is merely a Suggests.

Yes, sorry, I somehow missed that; as apt-cache rdepends does not list
the dependency type and I overlooked that it was only Suggests when
reading `apt-cache show upgrade-system`.

--
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20130312120039.GA24698@...

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Julien Cristau-6
In reply to this post by Julian Andres Klode-4
On Tue, Mar 12, 2013 at 00:42:45 +0100, Julian Andres Klode wrote:

> Dear release team, I report this problem as we have switched our
> package management stack in wheezy from update-manager and other
> components to PackageKit. Those old components are still in wheezy
> however, and especially update-manager can be considered to be
> horribly dangerous: It might break systems or contain extreme security
> issues as it has not seen someone really care about it since 2 years.
>
You're going to need more convincing arguments than "might have issues"
to argue for removal at this stage.  As in specific ones, preferrably
with bug numbers attached.

Cheers,
Julien

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Josselin Mouette
Le mardi 12 mars 2013 à 20:21 +0100, Julien Cristau a écrit :

> On Tue, Mar 12, 2013 at 00:42:45 +0100, Julian Andres Klode wrote:
>
> > Dear release team, I report this problem as we have switched our
> > package management stack in wheezy from update-manager and other
> > components to PackageKit. Those old components are still in wheezy
> > however, and especially update-manager can be considered to be
> > horribly dangerous: It might break systems or contain extreme security
> > issues as it has not seen someone really care about it since 2 years.
> >
> You're going to need more convincing arguments than "might have issues"
> to argue for removal at this stage.  As in specific ones, preferrably
> with bug numbers attached.

http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=update-manager
Look for “[CRASH]”, for example.

At the very least, can we make update-notifier stop starting
update-manager? This should be a trivial change.

--
 .''`.      Josselin Mouette
: :' :
`. `'
  `-


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/1363175613.28146.849.camel@pi0307572

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Matthias Klumpp
In reply to this post by Julian Andres Klode-4
(Please keep me CC'ed as I am not subscribed to the list)

Hi!
The removal of the old update-manager is fine with me. Since Apper is
available, KDE already gets shiny new notifications, so from a KDE
perspective the old update-notifier is no longer needed. (we patched
Apper for that)
For GNOME, I think GPK is fine, as it is incredibly well-integrated
with the Shell and has a nice update view. (and it is secure). The
only known issues are that changelogs are not well formatted (haven't
yet found out why the markdown parser fails there, for Apper
everything is fine - but I am working on a patch upstream) and that
someone reported that updates are not shown in his GNOME session (i.e.
no update-notification is shown). The latter might just be some
misconfiguration, as I can't reproduce that issue here, and
gnome-settings-daemon should check for updates.

Unfortunately we can't have PackageKit 0.8.x in Wheezy, which is about
twice as fast (on some operations) as the 0.7.x series on Debian ^^
Removing the update-manager might annoy people, but placing a warning
might be desirable.
Kind regards,
    Matthias

(Maintainer of PackageKit, GNOME-PackageKit and Apper for Debian)


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/CAKNHny_Q01r-XrXeTxQc8JKC8WcMgz=2QVb4XMSrB0wVd8UgsA@...

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Julian Andres Klode-4
In reply to this post by Julien Cristau-6
On Tue, Mar 12, 2013 at 08:21:52PM +0100, Julien Cristau wrote:

> On Tue, Mar 12, 2013 at 00:42:45 +0100, Julian Andres Klode wrote:
>
> > Dear release team, I report this problem as we have switched our
> > package management stack in wheezy from update-manager and other
> > components to PackageKit. Those old components are still in wheezy
> > however, and especially update-manager can be considered to be
> > horribly dangerous: It might break systems or contain extreme security
> > issues as it has not seen someone really care about it since 2 years.
> >
> You're going to need more convincing arguments than "might have issues"
> to argue for removal at this stage.  As in specific ones, preferrably
> with bug numbers attached.

Issues with bug numbers:
  * It might downgrade packages without any notice (#599523)
  * It often crashes (#607105, #671468, and about 10 others)

Issues without bug numbers:
  * Nobody knows how it works or has looked at this code since
    December 2010 (apart from two uploads; fixing only
    bugs with a new Python version and a build issue; but no
    fundamental bug fixes as nobody really knows this code)
  * It is installed on every default desktop squeeze installation,
    and thus on upgraded systems as well (wide exposure)

--
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20130313235330.GA11852@...

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Emilio Pozuelo Monfort-4
In reply to this post by Julian Andres Klode-4
Hi Julian,

On 12/03/13 00:42, Julian Andres Klode wrote:

> Dear release team, I report this problem as we have switched our package management
> stack in wheezy from update-manager and other components to PackageKit. Those
> old components are still in wheezy however, and especially update-manager can
> be considered to be horribly dangerous: It might break systems or contain extreme
> security issues as it has not seen someone really care about it since 2 years.
>
> We cannot simply remove update-manager however, as there are reverse
> dependencies. The most important ones appear to be:
>
>    * upgrade-system
>    * update-notifier
>
> We could simply drop upgrade-system from testing. For update-notifier, we cannot
> do this, as update-notifier-kde depends on update-notifier-common, and there are
> no other notifiers for KDE AFAIK. I could however upload an empty update-notifier
> package (for GNOME) that switches the user to the PackageKit notifier, thus
> removing that reverse dependency.
>
> Summary of the proposed solution:
> 1. Remove upgrade-system from testing
> 2. Replace update-notifier binary package with a package transitioning
>             users to gnome-packagekit
>          3. Remove update-manager from testing or transition users to PackageKit

I think it's time to do something like this in unstable.

Regards,
Emilio

> Please let me know what you think, and if I missed something.
>
> PS: Yes, I know that we're late in freeze, but I feel that we should not have
> that package in a stable release.
>
> PPS: Please keep me CCed (and maybe pkg-gnome-maintainers as well)
>
>
>
> _______________________________________________
> pkg-gnome-maintainers mailing list
> [hidden email]
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-gnome-maintainers
>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/518CBA6D.6030101@...

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Julian Andres Klode-4
On Fri, May 10, 2013 at 11:14:21AM +0200, Emilio Pozuelo Monfort wrote:

> Hi Julian,
>
> On 12/03/13 00:42, Julian Andres Klode wrote:
> >Dear release team, I report this problem as we have switched our package management
> >stack in wheezy from update-manager and other components to PackageKit. Those
> >old components are still in wheezy however, and especially update-manager can
> >be considered to be horribly dangerous: It might break systems or contain extreme
> >security issues as it has not seen someone really care about it since 2 years.
> >
> >We cannot simply remove update-manager however, as there are reverse
> >dependencies. The most important ones appear to be:
> >
> >   * upgrade-system
> >   * update-notifier
> >
> >We could simply drop upgrade-system from testing. For update-notifier, we cannot
> >do this, as update-notifier-kde depends on update-notifier-common, and there are
> >no other notifiers for KDE AFAIK. I could however upload an empty update-notifier
> >package (for GNOME) that switches the user to the PackageKit notifier, thus
> >removing that reverse dependency.
> >
> >Summary of the proposed solution:
> > 1. Remove upgrade-system from testing
> > 2. Replace update-notifier binary package with a package transitioning
> >            users to gnome-packagekit
> >         3. Remove update-manager from testing or transition users to PackageKit
>
> I think it's time to do something like this in unstable.

Yes. We need:
    (a) transitional packages for
        - update-notifier
        - update-notifier-kde
        - update-manager

    (b) Breaks and Provides in gnome-packagekit / apper
        gnome-packagekit on update-notifier, update-manager
        apper on update-notifier-kde


I already uploaded a new version of update-notifier, called
0.99.3debian11+perrm1 that makes update-notifier a transitional
package; and requested update-managers removal from unstable.

I kept the update-notifier-common package the way it is now,
so update-notifier-kde keeps working until it is replaced by
a transitional package to apper. After that happened,
update-notifier-common will be dropped.

--
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20130510135851.GA32247@...

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Martin-Éric Racine
As stated a few months in this discussion, upgrade-system merely Suggests update-notifier. It therefore doesn't need to be removed.

Martin-Éric


2013/5/10 Julian Andres Klode <[hidden email]>
On Fri, May 10, 2013 at 11:14:21AM +0200, Emilio Pozuelo Monfort wrote:
> Hi Julian,
>
> On 12/03/13 00:42, Julian Andres Klode wrote:
> >Dear release team, I report this problem as we have switched our package management
> >stack in wheezy from update-manager and other components to PackageKit. Those
> >old components are still in wheezy however, and especially update-manager can
> >be considered to be horribly dangerous: It might break systems or contain extreme
> >security issues as it has not seen someone really care about it since 2 years.
> >
> >We cannot simply remove update-manager however, as there are reverse
> >dependencies. The most important ones appear to be:
> >
> >   * upgrade-system
> >   * update-notifier
> >
> >We could simply drop upgrade-system from testing. For update-notifier, we cannot
> >do this, as update-notifier-kde depends on update-notifier-common, and there are
> >no other notifiers for KDE AFAIK. I could however upload an empty update-notifier
> >package (for GNOME) that switches the user to the PackageKit notifier, thus
> >removing that reverse dependency.
> >
> >Summary of the proposed solution:
> >     1. Remove upgrade-system from testing
> >     2. Replace update-notifier binary package with a package transitioning
> >            users to gnome-packagekit
> >         3. Remove update-manager from testing or transition users to PackageKit
>
> I think it's time to do something like this in unstable.

Yes. We need:
    (a) transitional packages for
        - update-notifier
        - update-notifier-kde
        - update-manager

    (b) Breaks and Provides in gnome-packagekit / apper
        gnome-packagekit on update-notifier, update-manager
        apper on update-notifier-kde


I already uploaded a new version of update-notifier, called
0.99.3debian11+perrm1 that makes update-notifier a transitional
package; and requested update-managers removal from unstable.

I kept the update-notifier-common package the way it is now,
so update-notifier-kde keeps working until it is replaced by
a transitional package to apper. After that happened,
update-notifier-common will be dropped.

--
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Advice needed: update-manager in wheezy considered dangerous

Julian Andres Klode-4
On Fri, May 10, 2013 at 03:52:44PM +0300, Martin-Éric Racine wrote:
> As stated a few months in this discussion, upgrade-system merely Suggests
> update-notifier. It therefore doesn't need to be removed.
>
> Martin-Éric

I remembered that, that's why I did not mention it again.

--
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20130510150837.GA14642@...

Loading...