Devuan bug report logs - #294
task-kde-desktop silently pulls in unattended-upgrades

version graph

Package: python3-software-properties; Maintainer for python3-software-properties is (unknown); Source for python3-software-properties is src:software-properties.

Reported by: Olaf Meeuwissen <paddy-hack@member.fsf.org>

Date: Sun, 17 Feb 2019 11:33:01 UTC

Severity: normal

Tags: debian

Fixed in version 0.99.30-1

Done: Mark Hindley <mark@hindley.org.uk>

Forwarded to https://bugs.debian.org/447701

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#294; Package tasksel. (full text, mbox, link).


Acknowledgement sent to Olaf Meeuwissen <paddy-hack@member.fsf.org>:
New bug report received and forwarded. Copy sent to owner@bugs.devuan.org. (full text, mbox, link).


Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):

From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
To: submit@bugs.devuan.org
Subject: task-kde-desktop silently pulls in unattended-upgrades
Date: Sun, 17 Feb 2019 20:23:48 +0900
[Message part 1 (text/plain, inline)]
Package: tasksel
Version: 3.48+devuan1

This came up on the mailing list[1] and Katolaz asked if I could submit
a bug report against this package so it would not be forgotten.

 [1]: https://lists.dyne.org/lurker/thread/20190214.170424.6845e4be.en.html

The general consensus on the mailing list was that unattended-upgrades
should not "slip in a standard Devuan install unnoticed".

On the mailing list I provided details based on ASCII but I figured it
would be more useful to look at beowulf.  The following is based on an
up-to-date (2019-02-17) Docker image[2].

 [2]: docker pull registry.gitlab.com/paddy-hack/devuan/slim:beowulf

First off, I must say that the approach I used on the mailing list is
flawed.  It does not handle the case of alternatives correctly as it
chases down dependency relations for *all* listed alternatives.  This
leads to false positives.

# All desktop tasks listed all desktop tasks as their dependencies in
# the case Recommends: are allowed :-/

So I followed a slightly different approach and did dry-run installs in
my devuan/slim:beowulf Docker image.

After installing tasksel, I ran

  tasksel --list-tasks \
    | awk '$2 ~ /desktop/ { print $2 }' \
    | while read task; do
        package=$(tasksel --task-packages $task)
        apt-get --dry-run install --install-recommends \
                $package > $package.install-recommends-dry-run
      done
  grep -l unattended-upgrades *.install-recommends-dry-run

That yielded

  task-kde-desktop.install-recommends-dry-run

So the KDE desktop task is the only supported Devuan desktop tasks that
would "slip in unattended-upgrades unnoticed".

I've attached the output of

  apt-cache depends --recurse --no-suggests --no-conflicts --no-breaks \
            --no-enhances --no-replaces task-kde-desktop

so you check for yourself but unattended-upgrades gets pulled in via a
rather complex dependency chain that may not be easy to break :-/

# Much, much more so with beowulf than in ascii.

I think the easiest way to get out of this "mess" is to downgrade the
dependency on unattended-upgrades from a Recommends: to a Suggests: in
python3-software-properties.

Hope this helps,
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join
[task-kde-desktop.depends (text/plain, attachment)]

Information forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#294; Package tasksel. (full text, mbox, link).


Acknowledgement sent to Mark Hindley <mark@hindley.org.uk>:
Extra info received and forwarded to list. Copy sent to owner@bugs.devuan.org. (full text, mbox, link).


Message #10 received at 294@bugs.devuan.org (full text, mbox, reply):

From: Mark Hindley <mark@hindley.org.uk>
To: Olaf Meeuwissen <paddy-hack@member.fsf.org>
Cc: 294@bugs.devuan.org
Subject: Re: task-kde-desktop silently pulls in unattended-upgrades
Date: Thu, 12 Sep 2019 13:34:55 +0100
Olaf,

I am doing some work on tasksel for beowulf and saw this bug.
It still appears to be present.

On Sun, Feb 17, 2019 at 08:23:48PM +0900, Olaf Meeuwissen wrote:
> I think the easiest way to get out of this "mess" is to downgrade the
> dependency on unattended-upgrades from a Recommends: to a Suggests: in
> python3-software-properties.

The problem with that is we don't currently fork that pacakge.

The other way might be to not include apper. I don't use KDE myself and have no
idea if that would be more of a problem? Do you use the desktop?

Best wishes

Mark


Information forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#294; Package tasksel. (full text, mbox, link).


Acknowledgement sent to Olaf Meeuwissen <paddy-hack@member.fsf.org>:
Extra info received and forwarded to list. Copy sent to owner@bugs.devuan.org. (full text, mbox, link).


Message #15 received at 294@bugs.devuan.org (full text, mbox, reply):

From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
To: Mark Hindley <mark@hindley.org.uk>
Cc: 294@bugs.devuan.org
Subject: Re: task-kde-desktop silently pulls in unattended-upgrades
Date: Tue, 24 Sep 2019 20:36:30 +0900
Hi Mark,

Sorry for the belated follow-up.  I've been travelling.

Mark Hindley writes:

> Olaf,
>
> I am doing some work on tasksel for beowulf and saw this bug.
> It still appears to be present.
>
> On Sun, Feb 17, 2019 at 08:23:48PM +0900, Olaf Meeuwissen wrote:
>> I think the easiest way to get out of this "mess" is to downgrade the
>> dependency on unattended-upgrades from a Recommends: to a Suggests: in
>> python3-software-properties.
>
> The problem with that is we don't currently fork that pacakge.
>
> The other way might be to not include apper. I don't use KDE myself and have no
> idea if that would be more of a problem? Do you use the desktop?

I don't use KDE myself.

If downgrading the apper Recommends: to a Suggests: on task-kde-desktop
prevents pulling in unattended-upgrades, I guess that would be fine.
Users that want apper can always install it later themselves.

It's just that doing it on python3-software-properties would be less of
an issue for users of apper.  Of course, if apper provides some optional
functionality that relies on unattended-upgrades that users want, they'd
be in a similar boat and need to install that themselves.

Anyway, forking python3-software-properties just to change an optional
dependency is probably overkill.

Hope this helps,
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join


Information forwarded to devuan-bugs@lists.dyne.org, Devuan Dev Team <devuan-dev@lists.dyne.org>:
bug#294; Package tasksel. (Thu, 16 Feb 2023 14:08:01 GMT) (full text, mbox, link).


Message #18 received at 294@bugs.devuan.org (full text, mbox, reply):

From: Mark Hindley <mark@hindley.org.uk>
To: Olaf Meeuwissen <paddy-hack@member.fsf.org>, 294@bugs.devuan.org
Subject: Re: bug#294: task-kde-desktop silently pulls in unattended-upgrades
Date: Thu, 16 Feb 2023 14:05:43 +0000
Control: reassign -1 python3-software-properties
Control: tags -1 debian
Control: forwarded -1 https://bugs.debian.org/447701

Olaf,

On Sun, Feb 17, 2019 at 08:23:48PM +0900, Olaf Meeuwissen wrote:
> I think the easiest way to get out of this "mess" is to downgrade the
> dependency on unattended-upgrades from a Recommends: to a Suggests: in
> python3-software-properties.

This has now happened in Debian: see #447701.

Mark



bug reassigned from package 'tasksel' to 'python3-software-properties'. Request was from Mark Hindley <mark@hindley.org.uk> to 294-submit@bugs.devuan.org. (Thu, 16 Feb 2023 14:08:03 GMT) (full text, mbox, link).


Added tag(s) debian. Request was from Mark Hindley <mark@hindley.org.uk> to 294-submit@bugs.devuan.org. (Thu, 16 Feb 2023 14:08:03 GMT) (full text, mbox, link).


Set bug forwarded-to-address to 'https://bugs.debian.org/447701'. Request was from Mark Hindley <mark@hindley.org.uk> to 294-submit@bugs.devuan.org. (Thu, 16 Feb 2023 14:08:03 GMT) (full text, mbox, link).


Reply sent to Mark Hindley <mark@hindley.org.uk>:
You have taken responsibility. (Thu, 16 Feb 2023 14:22:04 GMT) (full text, mbox, link).


Notification sent to Olaf Meeuwissen <paddy-hack@member.fsf.org>:
bug acknowledged by developer. (Thu, 16 Feb 2023 14:22:05 GMT) (full text, mbox, link).


Message #29 received at 294-done@bugs.devuan.org (full text, mbox, reply):

From: Mark Hindley <mark@hindley.org.uk>
To: 294-done@bugs.devuan.org
Subject: Fixed in Debian #447701
Date: Thu, 16 Feb 2023 14:20:17 +0000
Version: 0.99.30-1

Information forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#294; Package python3-software-properties. (Sat, 18 Feb 2023 02:16:02 GMT) (full text, mbox, link).


Acknowledgement sent to Olaf Meeuwissen <paddy-hack@member.fsf.org>:
Extra info received and forwarded to list. Copy sent to devuan-dev@lists.dyne.org. (Sat, 18 Feb 2023 02:16:07 GMT) (full text, mbox, link).


Message #34 received at 294@bugs.devuan.org (full text, mbox, reply):

From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
To: Mark Hindley <mark@hindley.org.uk>
Cc: 294@bugs.devuan.org
Subject: Re: bug#294: task-kde-desktop silently pulls in unattended-upgrades
Date: Sat, 18 Feb 2023 11:08:25 +0900
Hi Mark,

Mark Hindley <mark@hindley.org.uk> writes:

> Control: reassign -1 python3-software-properties
> Control: tags -1 debian
> Control: forwarded -1 https://bugs.debian.org/447701
>
> Olaf,
>
> On Sun, Feb 17, 2019 at 08:23:48PM +0900, Olaf Meeuwissen wrote:
>> I think the easiest way to get out of this "mess" is to downgrade the
>> dependency on unattended-upgrades from a Recommends: to a Suggests: in
>> python3-software-properties.
>
> This has now happened in Debian: see #447701.

Thanks for cleaning out the old bug reports!

I checked the dependencies of python3-software-properties (on daedalus)
and it has neither Recommends: nor Suggests: anymore.

Checking a --dry-run install of task-kde-desktop (on daedalus) following
the approach from my original bug report no longer tries to install the
unattended-upgrades.

Finally fixed then :-)
--
Olaf Meeuwissen

Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Fri Mar 29 09:28:21 2024;