[Secure-testing-team] Bug#768047: aptitude: doesn't notice a package is obsolete, when it's not yet for an older suite

Christoph Anton Mitterer calestyo at scientia.net
Tue Nov 4 13:41:11 UTC 2014 

Package: aptitude
Version: 0.6.11-1
Severity: important
Tags: security


Hi.

Apparently the following is the case (at least in aptitude, perhaps this is in apt as well):

When having repos for multiple suites (e.g. unstable and stable) where one is the
"main" suite and the is only selectively used for some packages via the apt_preferences
mechanism (e.g. to keep some packages at older versions or to take newer versions for some)
it can happen, that a package is dropped from one suite but not from the other.

E.g. in my case, I'm running at unstable, but have stable enabled for some packages (while
all other packages for stable have a lower prio)... in unstable, lcms1 was dropped, while
it continues to exist in stable.

aptitude doesn't show me that lcms1 packages are obsolete now, which of course also means
that I wont't get any further (security) upgrades for it in unstable and of course I won't
get upgrade to stable as well, since lcms1 isn't what I'm selecting via apt-preferences.

Since unstable is not officially security supported, I won't even get a DSA or something
like that, telling me that lcms1 is now longer supported.


apt/aptitude should show a package as being obsolete, in such a case.


Cheers,
Chris.

-- Package-specific info:
Terminal: xterm
$DISPLAY is set.
which aptitude: /usr/bin/aptitude

aptitude version information:
aptitude 0.6.11 compiled at Jun  9 2014 20:46:57
Compiler: g++ 4.8.3
Compiled against:
  apt version 4.12.0
  NCurses version 5.9
  libsigc++ version: 2.2.11
  Gtk+ support disabled.
  Qt support disabled.

Current library versions:
  NCurses version: ncurses 5.9.20140913
  cwidget version: 0.5.17
  Apt version: 4.12.0

aptitude linkage:
	linux-vdso.so.1 (0x00007fffbb167000)
	libapt-pkg.so.4.12 => /usr/lib/x86_64-linux-gnu/libapt-pkg.so.4.12 (0x00007f6d43690000)
	libncursesw.so.5 => /lib/x86_64-linux-gnu/libncursesw.so.5 (0x00007f6d4345a000)
	libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f6d4322f000)
	libsigc-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libsigc-2.0.so.0 (0x00007f6d43029000)
	libcwidget.so.3 => /usr/lib/x86_64-linux-gnu/libcwidget.so.3 (0x00007f6d42d13000)
	libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007f6d42a4a000)
	libboost_iostreams.so.1.55.0 => /usr/lib/x86_64-linux-gnu/libboost_iostreams.so.1.55.0 (0x00007f6d42832000)
	libxapian.so.22 => /usr/lib/libxapian.so.22 (0x00007f6d42421000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f6d42203000)
	libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f6d41ef8000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6d41bf7000)
	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f6d419e0000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6d41637000)
	libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007f6d41434000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6d4122f000)
	libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f6d41014000)
	libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 (0x00007f6d40e04000)
	liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f6d40be0000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f6d409d8000)
	libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f6d407d2000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f6d44044000)

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages aptitude depends on:
ii  aptitude-common           0.6.11-1
ii  libapt-pkg4.12            1.0.9.3
ii  libboost-iostreams1.55.0  1.55.0+dfsg-3
ii  libc6                     2.19-12
ii  libcwidget3               0.5.17-2
ii  libgcc1                   1:4.9.1-19
ii  libncursesw5              5.9+20140913-1
ii  libsigc++-2.0-0c2a        2.4.0-1
ii  libsqlite3-0              3.8.7-1
ii  libstdc++6                4.9.1-19
ii  libtinfo5                 5.9+20140913-1
ii  libxapian22               1.2.19-1

Versions of packages aptitude recommends:
ii  aptitude-doc-en [aptitude-doc]  0.6.11-1
ii  libparse-debianchangelog-perl   1.2.0-1.1
ii  sensible-utils                  0.0.9

Versions of packages aptitude suggests:
ii  apt-xapian-index  0.47
ii  debtags           1.12.3
ii  tasksel           3.29

-- no debconf information

More information about the Secure-testing-team mailing list