wrong check for "server" in libssl3.postinst

Bug #1971650 reported by Steve Langasek
84
This bug affects 17 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

A security update has just been applied to my system for openssl, and the 'reboot required' message just popped on my desktop. I looked to see why this was, and found the following code in the libssl3 postinst:

        # Here we issue the reboot notification for upgrades and
        # security updates. We do want services to be restarted when we
        # update for a security issue, but planned by the sysadmin, not
        # automatically.

        # Only issue the reboot notification for servers; we proxy this by
        # testing that the X server is not running (LP: #244250)
        if ! pidof /usr/lib/xorg/Xorg > /dev/null && [ -x /usr/share/update-notifier/notify-reboot-required ]; then
                /usr/share/update-notifier/notify-reboot-required
        fi

Now, AFAIK this is the only package that interfaces with notify-reboot-required but omits the notification on desktops, so that seems to be an inconsistent policy; but even if we thought that was the correct policy to apply, the above check for a desktop is not because it doesn't match in the case the user is running Xwayland, which most users not using the nvidia driver will be doing now by default.

Also, this is now inside a block that checks for the presence of needrestart, which is part of the server seed; so in effect this notification now *never* fires on servers, it *only* fires on desktops.

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: openssl 3.0.2-0ubuntu1.1
ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
Uname: Linux 5.15.0-27-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu82
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Thu May 5 05:39:06 2022
InstallationDate: Installed on 2019-12-23 (863 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017)
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: openssl
UpgradeStatus: Upgraded to jammy on 2022-04-15 (19 days ago)

Revision history for this message
Steve Langasek (vorlon) wrote :
Changed in openssl (Ubuntu):
importance: Undecided → Medium
tags: added: rls-jj-incoming rls-kk-incoming
Lukas Märdian (slyon)
tags: added: fr-2350
tags: removed: fr-2350 rls-jj-incoming rls-kk-incoming
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Simon Chopin (schopin) wrote :

FWIW, Debian just scrapped the postinst entirely, advising users to use needrestart or checkrestart instead.

In my upcoming merge I'll revert the deletion, but I'd be happy to go back and remove that part of the delta once I understand how all the pieces fit together.

Revision history for this message
Steve Langasek (vorlon) wrote :

Certainly if Debian is dropping the per-package code in favor of needrestart we should head in the same direction, but we need to sort out getting needrestart included in the desktop-common seed first.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssl (Ubuntu):
status: New → Confirmed
Revision history for this message
Adrien Nader (adrien-n) wrote :

I had an actual look at the (scary) postinst: the code you've quoted is the only live code left (the rest can only be triggered when upgrading from 18.04).

The good^Wgreat news is that I will delete ". /usr/share/debconf/confmodule" from the script, and it probably should have been behind a conditional.

Now, I'm not sure what we want here in general. If I understand the code right, it will only show the notification when X is not running but avoids servers (due to the check against needrestart). That seems quite inconsistent. Or do I misunderstand something? The code looks like it has grown organically over a fairly long timeframe.

Shall we assume on both desktops and servers that an openssl update always requires a reboot? At least until we do anything related to needrestart.

Revision history for this message
Steve Langasek (vorlon) wrote :

> Shall we assume on both desktops and servers that an openssl update always requires
> a reboot? At least until we do anything related to needrestart.

For server we should not assume this, because needrestart is already integrated in the server.

Revision history for this message
Seth Arnold (seth-arnold) wrote : Re: [Bug 1971650] Re: wrong check for "server" in libssl3.postinst

On Tue, Aug 29, 2023 at 03:06:58PM -0000, Adrien Nader wrote:
> Shall we assume on both desktops and servers that an openssl update
> always requires a reboot? At least until we do anything related to
> needrestart.

Our needrestart work is already live, those big obnoxious modal dialogs
are something I don't quickly forget. :)

I think we can delete all the maintainer-script upgrade notices from
jammy onwards, and I wouldn't cry to see it go from earlier releases,
either.

Thanks

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.