Debian Bug report logs - #895217
aptitude: Uses hostname of repo to determine what is a security update instead of repo metadata

version graph

Package: aptitude; Maintainer for aptitude is Aptitude Development Team <[email protected]>; Source for aptitude is src:aptitude (PTS, buildd, popcon).

Reported by: Axel Beckert <[email protected]>

Date: Sun, 8 Apr 2018 13:03:02 UTC

Severity: normal

Tags: confirmed, upstream

Found in version aptitude/0.8.10-6

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], [email protected], Aptitude Development Team <[email protected]>:
Bug#895217; Package aptitude. (Sun, 08 Apr 2018 13:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <[email protected]>:
New Bug report received and forwarded. Copy sent to [email protected], Aptitude Development Team <[email protected]>. (Sun, 08 Apr 2018 13:03:21 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Axel Beckert <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: aptitude: Uses hostname of repo to determine what is a security update instead of repo metadata
Date: Sun, 08 Apr 2018 15:00:57 +0200
[Message part 1 (text/plain, inline)]
Package: aptitude
Version: 0.8.10-6
Severity: normal
Tags: confirmed upstream

aptitude uses the hostname of APT repository (e.g. "security.debian.org"
to determine what is a security update and what isn't instead of using
the repository metadata provided by apt's libraries.

From src/generic/apt/apt.cc:

bool is_security(const pkgCache::VerIterator &ver)
{
  static std::regex site_regex { "^security\\.(.+\\.)?debian.org$" };
  std::smatch site_match;

  for (pkgCache::VerFileIterator F = ver.FileList(); !F.end(); ++F)
    {
      pkgCache::PkgFileIterator fileit = F.File();
      if (!fileit.end())
        {
          string site  = fileit.Site()  ? fileit.Site()  : "";
          string label = fileit.Label() ? fileit.Label() : "";
          std::regex_search(site, site_match, site_regex);

          if (!site_match.empty() && label == "Debian-Security")
            return true;
        }
    }

  return false;
}

This should rather look at metadata (especially the label) like this:

$ apt-cache policy | fgrep -i security
 990 http://security.debian.org stretch/updates/non-free i386 Packages
     release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=non-free,b=i386
     origin security.debian.org
 990 http://security.debian.org stretch/updates/contrib i386 Packages
     release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=contrib,b=i386
     origin security.debian.org
 990 http://security.debian.org stretch/updates/main i386 Packages
     release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=main,b=i386
     origin security.debian.org
 990 https://security.debian.ethz.ch stretch/updates/non-free i386 Packages
     release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=non-free,b=i386
     origin security.debian.ethz.ch
 990 https://security.debian.ethz.ch stretch/updates/contrib i386 Packages
     release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=contrib,b=i386
     origin security.debian.ethz.ch
 990 https://security.debian.ethz.ch stretch/updates/main i386 Packages
     release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=main,b=i386
     origin security.debian.ethz.ch

-- Package-specific info:

[Message part 2 (text/plain, attachment)]
[Message part 3 (text/plain, inline)]
-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages aptitude depends on:
ii  aptitude-common            0.8.10-6
ii  libapt-pkg5.0              1.6~beta1
ii  libboost-filesystem1.62.0  1.62.0+dfsg-5
ii  libboost-iostreams1.62.0   1.62.0+dfsg-5
ii  libboost-system1.62.0      1.62.0+dfsg-5
ii  libc6                      2.27-3
ii  libcwidget3v5              0.5.17-7
ii  libgcc1                    1:8-20180402-1
ii  libncursesw5               6.1-1
ii  libsigc++-2.0-0v5          2.10.0-2
ii  libsqlite3-0               3.23.0-1
ii  libstdc++6                 8-20180402-1
ii  libtinfo5                  6.1-1
ii  libxapian30                1.4.5-1

Versions of packages aptitude recommends:
ii  libparse-debianchangelog-perl  1.2.0-12
ii  sensible-utils                 0.0.12

Versions of packages aptitude suggests:
ii  apt-xapian-index                0.49
ii  aptitude-doc-en [aptitude-doc]  0.8.10-6
ii  debtags                         2.1.5
pn  tasksel                         <none>

-- no debconf information

Information forwarded to [email protected], Aptitude Development Team <[email protected]>:
Bug#895217; Package aptitude. (Sun, 08 Apr 2018 13:39:10 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <[email protected]>:
Extra info received and forwarded to list. Copy sent to Aptitude Development Team <[email protected]>. (Sun, 08 Apr 2018 13:39:12 GMT) (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

From: Axel Beckert <[email protected]>
To: [email protected]
Subject: Re: Bug#895217: aptitude: Uses hostname of repo to determine what is a security update instead of repo metadata
Date: Sun, 8 Apr 2018 15:32:34 +0200
Hi,

Axel Beckert wrote:
> aptitude uses the hostname of APT repository (e.g. "security.debian.org"
> to determine what is a security update and what isn't instead of using
> the repository metadata provided by apt's libraries.

JFTR: This was prompted by
https://bugs.launchpad.net/debian/+source/aptitude/+bug/1370416, see
https://bugs.launchpad.net/debian/+source/aptitude/+bug/1370416/comments/14

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <[email protected]>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 13:02:44 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.