Then if 'apt' nor 'landscape' can have viable change. The only other workaround I can think of would be to modify the way USN database pickle works to include dependencies for package with USN vulnerability to avoid this situation like this at least for dependencies within the same source package.
Example : In this case, if instead of only flagging systemd, the USN was also flagging libsystemd0 (part of the same source package) the problem wouldn't have happen. I would like to have security thought about this ? - Eric ** Summary changed: - apt behaviour with strict dependencies + apt behaviour when package version -gt in -update than -security with strict dependencies rules -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1788486 Title: apt behaviour when package with strict dependencies rules and version -gt in -updates than -security. Status in apt package in Ubuntu: Won't Fix Status in landscape-client package in Ubuntu: Won't Fix Status in apt source package in Xenial: Won't Fix Status in landscape-client source package in Xenial: Won't Fix Status in apt source package in Bionic: Won't Fix Status in landscape-client source package in Bionic: Won't Fix Bug description: [Impact] We notice that situation while investigating a security update using Landscape, but it also applies to 'apt' outside the Landscape context. 'apt' should be smarter to detect/install packages with strict dependencies such as systemd[1] when a version is specified for upgrade (Ex: $ apt-get install systemd=229-4ubuntu-21.1). It should automatically install the dependencies (if any) from that same version as well instead of failing trying to install the highest version available (if any) while installing the specified version for the one mentionned : ======================== $ apt-get install systemd=229-4ubuntu-21.1 .... "systemd : Depends: libsystemd0 (= 229-4ubuntu21.1) but 229-4ubuntu21.4 is to be installed" ========================= To face that problem : - Package with lower version should be found in -security ( Ex: systemd/229-4ubuntu21.1 ) - Package with higher version should be found in -updates ( Ex: systemd/229-4ubuntu21.4 ) - Package should have strict dependencies ( Ex: libsystemd0 (= ${binary:Version}) ) - The upgrade should only specify version for the package, without it's dependencies. (Ex: $ apt-get install systemd=229-4ubuntu-21.1" #systemd without libsystemd0 depends) Using systemd is a good reproducer, I'm sure finding other package with the same situation is easy. It has been easily reproduced with systemd on Xenial and Bionic so far. [1] debian/control Depends: ${shlibs:Depends}, ${misc:Depends}, libsystemd0 (= ${binary:Version}), ... [Workaround] If package + dependencies are specified, the upgrade work just fine : Ex: $ apt-get install systemd=229-4ubuntu-21.1 libsystemd0=229-4ubuntu-21.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1788486/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
