Package: synaptic Version: 0.84.6mint1+debbie Severity: normal Dear Michael Vogt,
today I discovered that several packages on my system were outdated but that synaptic had failed to inform me about it at all. My current situation is that synaptic is performing an automated repository update on a regular schedule and I install them manually after reviewing the listed packages. The occasions where I manually update the repositories from command line are very rare. And I don't usually click the "Update"-button in synaptic, either. Today I did click the button (with no real purpose, just by chance), and was confronted with a message that several repositories couldn't be updated because their signing keys were expired. Up to this point this update process must have failed silently, probably several times. I don't know whether I can look this up (I already updated the keys and the involved packages) but I assume that the expiration wasn't just today but sometimes within the last weeks or even months. The reason why I thought about selecting a higher severity initially (but reportbug wouldn't easily let me) is that this issue can lead to the situation that critical software isn't updated and known vulnerabilities aren't fixed. And that without the user even knowng that there might be a problem with the package list. At least if a user relies (solely) on synaptic to keep the system up-to-date. Over time, I got several of those messages displayed at the top of the app list (sorry, don't know their technical term, the mostly yellow/orange boxes) informing me that: - I should do a system reboot even when the updated kernel wasn't the one that was actively used by my system (I use a different kernel for better hardware compatibility, but keep the debian kernel up-to-date as a fallback), - I should select a different mirror because my selected one was down, although the mirror is only down/unreachable for a short period of time if this happens at all. I would argue that a similar message box for update errors like (but not necessarily limited to) expired signing keys would be essential for this app to fulfill its purpose. Especially because those errors (unlike the mirror message) won't fix themselves over time. I think, that for users that rely on synaptic to not only update the repository list but also to install said updates, there should even be some other way in place to communicate update errors. If synaptic claims to be able to perfom automated updates, it should either handle such cases (which it obviously can't in every single case) or speak up if it needs user attension. That's why I see this as a (critical, because it can prevent known vulnerabilities from being patched) bug and not a feature request. Thanks in advance. Alex -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.12.0-19.3-liquorix-amd64 (SMP w/12 CPU cores; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages synaptic depends on: ii hicolor-icon-theme 0.17-2 ii libapt-inst2.0 1.8.2.3 ii libapt-pkg5.0 1.8.2.3 ii libatk1.0-0 2.30.0-2 ii libc6 2.28-10 ii libcairo-gobject2 1.16.0-4+deb10u1 ii libcairo2 1.16.0-4+deb10u1 ii libept1.5.0 1.1+nmu3+b1 ii libgcc1 1:8.3.0-6 ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1 ii libglib2.0-0 2.58.3-2+deb10u3 ii libgnutls30 3.6.7-4+deb10u7 ii libgtk-3-0 3.24.5-1 ii libpango-1.0-0 1.42.4-8~deb10u1 ii libpangocairo-1.0-0 1.42.4-8~deb10u1 ii libpcre2-8-0 10.32-5 ii libstdc++6 8.3.0-6 ii libvte-2.91-0 0.54.2mint1+debbie ii libx11-6 2:1.6.7-1+deb10u2 ii libxapian30 1.4.11-1 ii libxapp1 2.2.3+debbie ii policykit-1 0.105-25 ii zenity 3.30.0-2 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages synaptic recommends: ii libgtk2-perl 2:1.24992-1+b2 ii xdg-utils 1.1.3-1+deb10u1 Versions of packages synaptic suggests: pn apt-xapian-index <none> pn deborphan <none> pn dwww <none> pn menu <none> pn software-properties-gtk <none> ii tasksel 3.53 -- no debconf information
