Ubuntu
apt package

apt-cache doesn't differentiate sources that share protocol, host, release and archive name

Bug #22354 reported by Debian Bug Importer
60
This bug affects 8 people
Affects Status Importance Assigned to Milestone
apt (Debian)
Fix Released
Unknown
apt (Ubuntu)
Fix Released
High
Robert Collins

Bug Description

Automatically imported from Debian bug report #329814 http://bugs.debian.org/329814

Related branches

lp://staging/~lifeless/ubuntu/lucid/apt/bug-22354
Michael Vogt (community): Approve
Ubuntu branches: Pending requested
Diff: 117 lines (+31/-6)
5 files modified
AUTHORS (+4/-0)
apt-pkg/contrib/strutl.cc (+12/-0)
apt-pkg/contrib/strutl.h (+1/-0)
apt-pkg/deb/debindexfile.cc (+6/-6)
debian/changelog (+8/-0)
lp://staging/~mvo/apt/mvo
Ubuntu Core Development Team: Pending requested
Diff: 443 lines (+76/-48)
14 files modified
apt-pkg/contrib/fileutl.cc (+10/-5)
doc/po/fr.po (+54/-32)
test/integration/framework (+1/-0)
test/integration/run-tests (+1/-1)
test/integration/test-autoremove (+1/-1)
test/integration/test-bug-590438-broken-provides-thanks-to-remove-order (+1/-1)
test/integration/test-bug-591882-conkeror (+1/-1)
test/integration/test-bug-595691-empty-and-broken-archive-files (+1/-1)
test/integration/test-bug-598669-install-postfix-gets-exim-heavy (+1/-1)
test/integration/test-compressed-indexes (+1/-1)
test/integration/test-disappearing-packages (+1/-1)
test/integration/test-pdiff-usage (+1/-1)
test/integration/test-policy-pinning (+1/-1)
test/integration/test-ubuntu-bug-614993 (+1/-1)
Ubuntu Core Development Team: Pending requested
Diff: 73066 lines (+13639/-12297) (has conflicts)
76 files modified
apt-pkg/contrib/fileutl.cc (+26/-2)
apt-pkg/contrib/strutl.cc (+2/-2)
apt-pkg/deb/debindexfile.cc (+13/-9)
apt-pkg/deb/deblistparser.cc (+6/-0)
apt-pkg/deb/debsystem.cc (+2/-2)
apt-pkg/depcache.cc (+15/-1)
apt-pkg/packagemanager.cc (+3/-3)
apt-pkg/pkgcache.cc (+1/-0)
apt-pkg/pkgcache.h (+1/-1)
apt-pkg/policy.cc (+5/-4)
buildlib/debiandoc.mak (+2/-2)
buildlib/po4a_manpage.mak (+1/-1)
cmdline/apt-get.cc (+12/-0)
debian/apt.cron.daily (+15/-28)
debian/changelog (+158/-0)
debian/control (+1/-1)
doc/examples/configure-index (+1/-0)
doc/po/de.po (+292/-590)
doc/po/fr.po (+8/-4)
po/apt-all.pot (+278/-266)
po/ar.po (+278/-266)
po/ast.po (+299/-287)
po/bg.po (+278/-266)
po/bs.po (+278/-266)
po/ca.po (+375/-241)
po/cs.po (+278/-266)
po/cy.po (+278/-266)
po/da.po (+405/-226)
po/de.po (+350/-247)
po/dz.po (+278/-266)
po/el.po (+278/-266)
po/es.po (+278/-266)
po/eu.po (+278/-266)
po/fi.po (+278/-266)
po/fr.po (+278/-268)
po/gl.po (+278/-266)
po/he.po (+2/-2)
po/hu.po (+278/-266)
po/it.po (+284/-272)
po/ja.po (+278/-266)
po/km.po (+278/-266)
po/ko.po (+278/-266)
po/ku.po (+278/-266)
po/lt.po (+278/-266)
po/mr.po (+278/-266)
po/nb.po (+377/-236)
po/ne.po (+278/-266)
po/nl.po (+280/-268)
po/nn.po (+278/-266)
po/pl.po (+278/-266)
po/pt.po (+279/-267)
po/pt_BR.po (+278/-266)
po/ro.po (+278/-266)
po/ru.po (+279/-267)
po/sk.po (+278/-266)
po/sl.po (+278/-266)
po/sv.po (+278/-266)
po/th.po (+278/-266)
po/tl.po (+278/-266)
po/uk.po (+278/-266)
po/vi.po (+543/-535)
po/zh_CN.po (+278/-273)
po/zh_TW.po (+278/-266)
test/integration/Packages-policy-pinning (+12/-0)
test/integration/framework (+2/-1)
test/integration/run-tests (+1/-1)
test/integration/test-autoremove (+1/-1)
test/integration/test-bug-590438-broken-provides-thanks-to-remove-order (+1/-1)
test/integration/test-bug-591882-conkeror (+5/-5)
test/integration/test-bug-595691-empty-and-broken-archive-files (+91/-0)
test/integration/test-bug-598669-install-postfix-gets-exim-heavy (+22/-0)
test/integration/test-compressed-indexes (+1/-1)
test/integration/test-disappearing-packages (+1/-1)
test/integration/test-pdiff-usage (+1/-1)
test/integration/test-policy-pinning (+228/-0)
test/integration/test-ubuntu-bug-614993 (+62/-0)
lp://staging/~mvo/apt/debian-sid (Merged)
lp://staging/ubuntu/lucid/apt
Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (5.6 KiB)

Message-ID: <email address hidden>
Date: Fri, 23 Sep 2005 16:23:58 +0200
From: Pierre THIERRY <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apt-cache doesn't differentiate sources that share protocol, host, release and archive name

--1kVeyRzorzGcO9ta
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: apt
Version: 0.5.28.6
Severity: serious
Tags: security
Justification: User can think he's installing Debian software when he's not

When multiple sources are used with APT that are hosted on the same host
with the same protocol, and also share combinations of release and
archive (e.g. etch/main), apt-cache policy shows their packages in a
identical form. That has lead me to think that mplayer and transcode had
been accepted in Debian and install a non-official package of ffmpeg,
because I had Christian Marillat's source in my sources.list.

Thus, any source on a server of an official Debian source that contain
packages without security fixes or with additional security holes, whose
version is higher than Debian official packages will lead the user to an
unprotected situation, even if he is cautious of what packages he
installs, in terms of security.

pierre@bateleur:~$ apt-cache policy mplayer-k6
mplayer-k6:
  Install=E9=A0: (aucun)
  Candidat=A0: 1:1.0-pre7-0.0
 Table de version=A0:
     1:1.0-pre7cvs20050716-0.1 0
        500 ftp://ftp.nerim.net sid/main Packages
     1:1.0-pre7-0.0 0
        500 ftp://ftp.nerim.net sarge/main Packages
        990 ftp://ftp.nerim.net etch/main Packages
        100 /var/lib/dpkg/status

pierre@bateleur:~$ apt-cache policy ffmpeg
ffmpeg:
  Install=E9=A0: 0.cvs20050918-4
  Candidat=A0: 3:20050806-0.2
 Table de version=A0:
     3:20050806-0.2 0
        500 ftp://ftp.nerim.net sid/main Packages
     3:20050427-0sarge0.1 0
        500 ftp://ftp.nerim.net sarge/main Packages
 *** 0.cvs20050918-4 0
        500 ftp://ftp.nerim.net sid/main Packages
        100 /var/lib/dpkg/status
     0.cvs20050313-2 0
        500 ftp://ftp.nerim.net sarge/main Packages
        990 ftp://ftp.nerim.net etch/main Packages

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Default-Release "testing";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "if dpkg -s apt-listbugs | grep -q '^Status: .* ok=
 installed'; then /usr/sbin/apt-listbugs apt |...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Fri, 23 Sep 2005 10:42:43 -0700
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: severity of 329814 is normal

# Automatically generated email from bts, devscripts version 2.9.4
severity 329814 normal

Revision history for this message
Matt Zimmerman (mdz) wrote :

Not even remotely critical

Revision history for this message
David Fraser (davidf) wrote :

Note that with the advent of PPAs this becomes relevant: I cannot tell from which PPA a package is coming, even with specifying -V to apt. The different PPAs are essentially different repositories, so I may only wish to trust packages from certain PPAs.

Not High importance perhaps, but surely not Invalid

Changed in apt:
status: Invalid → New
j.scott.gwin@gmail.com (j.scott.gwin)
Changed in apt:
status: New → Confirmed
Revision history for this message
Ernst (ernst-blaauw) wrote :

Yes, I just installed (with the daily updates) a linux-libc-dev package. I want to disable the PPA repo, but I don't know which of the twenty has offered it.
So, I would also love to have more info from apt-cache. Is this possible (and is it very difficult)?

Matt Zimmerman (mdz)
Changed in apt (Ubuntu):
assignee: Matt Zimmerman (mdz) → nobody
Revision history for this message
Martin Pool (mbp) wrote :

An example of the problems with madison and PPAs:

mbp@grace% apt-cache madison bzr
       bzr | 2.1.0+b1+4878+129~8.10 | http://ppa.launchpad.net karmic/main Packages
       bzr | 2.0.2-1~bazaar1~karmic | http://ppa.launchpad.net karmic/main Packages
       bzr | 2.0.1-1~bazaar1~karmic | http://ppa.launchpad.net karmic/main Packages
       bzr | 2.0.0-0ubuntu1 | http://mirror.internode.on.net karmic/main Packages

How do you know which ppa it is?

Robert Collins (lifeless)
Changed in apt (Ubuntu):
assignee: nobody → Robert Collins (lifeless)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.25.3ubuntu2

---------------
apt (0.7.25.3ubuntu2) lucid; urgency=low

  [ Michael Vogt ]
  * abicheck/
    - add new abitest tester using the ABI Compliance Checker from
      http://ispras.linuxfoundation.org/index.php/ABI_compliance_checker
  * debian/apt.conf.autoremove:
    - add "oldlibs" to the APT::Never-MarkAuto-Sections as its used
      for transitional packages
  * apt-pkg/deb/dpkgpm.cc:
    - fix backgrounding when dpkg runs (closes: #486222)
  * cmdline/apt-mark:
    - show error on incorrect aguments (LP: #517917), thanks to
      Torsten Spindler
  * cmdline/apt-get.cc:
    - if apt-get source foo=version or foo/distro can not be found,
      error out (LP: #502641)
  * apt-pkg/indexfile.cc:
    - deal correctly with three letter langcodes (LP: #391409)
  * debian/apt.cron.daily:
    - do not look into admin users gconf anymore for the http proxy
      the user now needs to use the "Apply system-wide" UI in the
      gnome-control-center to set it
  * debian/apt.postinst:
    - add set_apt_proxy_from_gconf() and run that once on upgrade if
      there is no proxy configured already system-wide (LP: #432631)
      From that point on gnome-control-center will have to warn if
      the user makes changes to the proxy settings and does not apply
      them system wide

  [ Robert Collins ]
  * Change the package index Info methods to allow apt-cache policy to be
    useful when using several different archives on the same host.
    (Closes: #329814, LP: #22354)
 -- Michael Vogt <email address hidden> Fri, 12 Mar 2010 23:10:52 +0100

Changed in apt (Ubuntu):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in apt (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.