apt-check 和 unattend-upgrades 脚本中可用的安全更新数量不同

tag-icon tag-icon apt package-management unattended-upgrades
apt-check 和 unattend-upgrades 脚本中可用的安全更新数量不同

check_apt我发现和中的安全更新数量存在差异unattended-upgrade scripts

通用/usr/lib/update-notifier/apt-check脚本使用isSecurityUpgrade(ver)第40行的函数来判断包裹的状态。看起来运行正常。看一看函数代码就很容易理解。

结果是check_apt

root@pandora:/home/sysadmin# /usr/lib/update-notifier/apt-check --human-readable
125 packages can be updated.
4 updates are security updates.

unattended-upgrade不包括此升级包。

root@pandora:/home/sysadmin# unattended-upgrade --dry-run -v
Initial blacklisted packages: 
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=trusty-security', 'o=trusty,a=nginx']
Option --dry-run given, *not* performing real actions
Packages that will be upgraded: 
Packages that are auto removed: ''
Packages auto-removed

我手动找到了它们(通过向该脚本添加自定义调试输出)。

它是以下包:

liboxideqt-qmlplugin:amd64/trusty-security 1.9.5-0ubuntu0.14.04.1 upgradeable to 1.17.7-0ubuntu0.14.04.1
liboxideqtcore0:amd64/trusty-security 1.9.5-0ubuntu0.14.04.1 upgradeable to 1.17.7-0ubuntu0.14.04.1
liboxideqtquick0:amd64/trusty-security 1.9.5-0ubuntu0.14.04.1 upgradeable to 1.17.7-0ubuntu0.14.04.1
oxideqt-codecs-extra:amd64/trusty-security 1.9.5-0ubuntu0.14.04.1 upgradeable to 1.17.7-0ubuntu0.14.04.1

以下是我允许的来源的设置:

Unattended-Upgrade::Allowed-Origins {
#  "${distro_id}:${distro_codename}";
  "${distro_id}:${distro_codename}-security";
  "${distro_codename}:nginx";
};

还有一点:

如果我们取消注释origin "${distro_id}:${distro_codename}",这些更新将通过脚本安装unattended-upgrade

root@pandora:/home/sysadmin# unattended-upgrade --dry-run -v
Initial blacklisted packages: 
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=trusty', 'o=Ubuntu,a=trusty-security', 'o=trusty,a=nginx']
Option --dry-run given, *not* performing real actions
Packages that will be upgraded: liboxideqt-qmlplugin liboxideqtcore0 liboxideqtquick0 libsmbclient libwbclient0 oxideqt-codecs-extra python-samba samba samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules smbclient

为什么会发生这种情况?

更新 1:

我发现这个包被添加到pkgs_kept_backcheck_changes_for_sanity/usr/bin/unattended-upgrade

有一些代码:

if check_changes_for_sanity(cache, allowed_origins,
                                            blacklisted_pkgs):
                # add to packages to upgrade
                pkgs_to_upgrade.append(pkg)
            ...
            else:
                logging.debug("sanity check failed")
                rewind_cache(cache, pkgs_to_upgrade)
                pkgs_kept_back.append(pkg.name)

为什么会发生这种情况?

相关内容