Unattended upgrades from 1.8.2 to 2.0.0-rc3 fail

[zenmonkeykstop]

Description

Unattended upgrades from 1.8.2 to 2.0.0-rc3 fail to complete successfully on the app server, with the securedrop-app-code package being held back.

Steps to Reproduce

• Set up a prod environment (hardware or VMs) with current version 1.8.2
• install testing apt key and flip repos from apt.freedom.press to apt-test.freedom.press in apt sources lists
• run sudo apt-get update && sudo unattended-upgrades -d

Expected Behavior

2.0.0-rc3 packages are installed without error (altbeit with a connection drop if ssh-over-tor is enabled)

Actual Behavior

securedrop-app-code is held back as "package haveged is marked to be deleted"

Comments

Suggestions to fix, any other relevant information.

[kushaldas]

I can now verify this issue.

<snipped>
Checking: securedrop-app-code ([<Origin component:'main' archive:'' origin:'SecureDrop' label:'' site:'apt-test.freedom.press' isTrusted:True>])              
sanity check failed for: {'haveged=1.9.1-6ubuntu1', 'securedrop-app-code=2.0.0~rc3+focal'} : pkg haveged is marked to be deleted                              
falling back to adjusting securedrop-app-code's dependencies                                                                                                  
sanity check failed for: {'haveged=1.9.1-6ubuntu1', 'securedrop-app-code=2.0.0~rc3+focal'} : pkg haveged is marked to be deleted                              
Checking: securedrop-config ([<Origin component:'main' archive:'' origin:'SecureDrop' label:'' site:'apt-test.freedom.press' isTrusted:True>])                
Checking: securedrop-keyring ([<Origin component:'main' archive:'' origin:'SecureDrop' label:'' site:'apt-test.freedom.press' isTrusted:True>])               
Checking: securedrop-ossec-agent ([<Origin component:'main' archive:'' origin:'SecureDrop' label:'' site:'apt-test.freedom.press' isTrusted:True>])           
Checking: tor ([<Origin component:'main' archive:'' origin:'SecureDrop' label:'' site:'apt-test.freedom.press' isTrusted:True>])                              
pkgs that look like they should be upgraded: securedrop-config                                                                                                
securedrop-keyring                                                                                                                                            
securedrop-ossec-agent                                                                                                                                        
tor                                                                                                                                                           
Get:1 https://apt-test.freedom.press focal/main amd64 securedrop-config all 0.1.4+2.0.0~rc3+focal [3064 B]                                                    
Get:2 https://apt-test.freedom.press focal/main amd64 securedrop-keyring amd64 0.1.5+2.0.0~rc3+focal [8120 B]                                                 
Get:3 https://apt-test.freedom.press focal/main amd64 securedrop-ossec-agent amd64 3.6.0+2.0.0~rc3+focal [4664 B]                                             
Get:4 https://apt-test.freedom.press focal/main amd64 tor amd64 0.4.5.8-1~focal+1 [1488 kB]                                                                   
Fetched 1503 kB in 0s (0 B/s)                                                                                                                                 
fetch.run() result: 0                                                                                                                                         
dpkg is configured not to cause conffile prompts                                                                                                              
Packages that will be upgraded: securedrop-config securedrop-keyring securedrop-ossec-agent tor 


<snipped>

Log started: 2021-06-21  06:57:55
(Reading database ... 46453 files and directories currently installed.)
Preparing to unpack .../tor_0.4.5.8-1~focal+1_amd64.deb ...
Unpacking tor (0.4.5.8-1~focal+1) over (0.4.5.7-1~focal+1) ...
Setting up tor (0.4.5.8-1~focal+1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for systemd (245.4-4ubuntu3.7) ...
left to upgrade set()
All upgrades installed
InstCount=0 DelCount=0 BrokenCount=0
Package securedrop-app-code has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package securedrop-app-code is kept back because a related package is kept back or due to local apt_preferences(5).
Extracting content from /var/log/unattended-upgrades/unattended-upgrades-dpkg.log since 2021-06-21 06:57:34

[kushaldas]

I think this happened due to https://github.com/freedomofpress/securedrop/pull/5954/files#diff-6625b173542ab918529e3fb0d9afe3e148b3bc79d4cd33c0106d237c155155b0R11, during review I missed how that Conflicts actually works.

From the Debian documentation:

If one package is to be unpacked, the other must be removed first. If the
package being unpacked is marked as replacing (see Overwriting files and
replacing packages - Replaces, but note that Breaks should normally be used in
this case) the one on the system, or the one on the system is marked as
deselected, or both packages are marked Essential, then dpkg will automatically
remove the package which is causing the conflict. Otherwise, it will halt the
installation of the new package with an error. This mechanism is specifically
designed to produce an error when the installed package is Essential, but the
new package is not.

Also from the same page:

This usage of Replaces only takes effect when both packages are at least partially on
 the system at once. It is not relevant if the packages conflict unless the conflict has been overridden.

Because haveged is already on the system, it is not getting removed automatically and dpkg is throwing the error.

My suggestion is to remove haveged from Conflicts and Replaces lines in the control file. The package will be removed next time the admins rerun the ansible.

[rmol]

The removal of haveged was prompted by the idea that it could actually give some control over the system's source of randomness if compromised.

From your reading of the control file docs, do you think marking securedrop-app-code Essential could also work?

[kushaldas]

The removal of haveged was prompted by the idea that it could actually give some control over the system's source of randomness if compromised.

From your reading of the control file docs, do you think marking securedrop-app-code Essential could also work?

Maybe, this is totally unknown territory for me. Specially when Essential packages are important for the system to run. I don't know enough how that break things now or in future.

[rmol]

After looking a bit more, I think unattended-upgrades is going to refuse to handle a deletion like this no matter how we trigger it, so if we want securedrop-app-code updated, #6006 is required.