Not possible to upgrade untrusted packages

Bug #707392 reported by Tom Sutch
170
This bug affects 25 people
Affects Status Importance Assigned to Milestone
update-manager (Ubuntu)
Triaged
Low
Unassigned

Bug Description

Binary package hint: update-manager

-------------------
Summary: update-manager does not allow the download/installation of updated packages from "unauthenticated" sources. Previous versions of update-manager have always given an option to continue anyway.
-------------------

As part of my list of updates this morning I had one from a third party (Squeezebox Server from debian.slimdevices.com), which is not key-signed.

When I selected OK to upgrade all of them, I got a message box "Requires installation of untrusted packages" (The action would require the installation of packages from unauthenticated sources.). The only option is 'Close' and there is no indication of what to do to authorise this! It prevented me upgrading the other packages too, until I'd unchecked the squeezeboxserver package.

I guess I'll have to do it via apt-get.

I'm running 10.10, fully up-to-date, and update-manager version 1:0.142.20.
---Architecture: i386DistroRelease: Ubuntu 10.10
Package: update-manager 1:0.142.20
PackageArchitecture: all
ProcEnviron:
 PATH=(custom, user)
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.35-24.42-generic 2.6.35.8Tags: maverick
Uname: Linux 2.6.35-24-generic i686
UserGroups: adm admin audio cdrom dialout dip fax fuse lpadmin netdev plugdev sambashare tape vboxusers video

Revision history for this message
RedSingularity (redsingularity) wrote :

Thanks for reporting. Please run:

apport-collect 707392

To gather system info. Also attach your sources.list: (Located on desktop after running following command.)

cat /etc/apt/sources.list > ~/Desktop/Sources

Changed in update-manager (Ubuntu):
status: New → Incomplete
Revision history for this message
Tom Sutch (plumstead21) wrote : Dependencies.txt

apport information

tags: added: apport-collected
description: updated
Revision history for this message
Tom Sutch (plumstead21) wrote :

Have run apport-collect, and my sources.list is attached.

Revision history for this message
RedSingularity (redsingularity) wrote :

Run:

sudo apt-get update | tee ~/Desktop/Update1

Attach the output file to your next post.

Revision history for this message
Tom Sutch (plumstead21) wrote :

Attached as requested

Revision history for this message
RedSingularity (redsingularity) wrote :

Update looks clean. Lets see what an upgrade looks like now:

sudo apt-get upgrade | tee ~/Desktop/Upgrade1

Attach file.

Revision history for this message
Tom Sutch (plumstead21) wrote :

The attached was generated when I said 'no' to installing without verification (I guess that question, and the default response of N, is what floors update-manager). I didn't want to say 'yes' as this would remove the test case!

Revision history for this message
RedSingularity (redsingularity) wrote :

Did you get the pgp key for squeezeboxserver when you added it to your source list?

Revision history for this message
Tom Sutch (plumstead21) wrote :

No, that's the point: there isn't a PGP key, the package is not signed, and that's why Update Manager is complaining about untrusted packages. While this isn't ideal, (and I could at least do apt-get upgrade) I used to be able to upgrade it via Update Manager but now it seems I can't. Also, the error message in Update Manager doesn't give any indication of what you should do to move forward which isn't very friendly to newish users.

Revision history for this message
RedSingularity (redsingularity) wrote :

Ok, that explains it then. It may be a regression or it may have been implemented by the developer as a safety net. Either way I am going to reproduce this bug on my machine to confirm it. If it was a regression, we can mark this to have the developer look at it and fix. If it was implemented on purpose, we can send a request to make it more "user friendly" as you said.

Your details say your running 10.10 32bit. Just confirming, is this correct?

Revision history for this message
Tom Sutch (plumstead21) wrote :

Thanks. Yes, that's correct.

Revision history for this message
RedSingularity (redsingularity) wrote :

I can confirm this on my machine. 10.10 32bit Fresh install. Seems to be a regression because there is no problem in a 10.04 32bit fresh install. In 10.04 update-manager asks if you would like to continue and then does so accordingly. Marking and updating description.

Changed in update-manager (Ubuntu):
status: Incomplete → Confirmed
description: updated
tags: added: regression-release
description: updated
Changed in update-manager (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Low
Revision history for this message
normcf@gmail.com (normcf) wrote :

I have this same issue in 11.10, but with a different package.
uname -a
Linux machineName 3.0.0-19-generic #33-Ubuntu SMP Thu Apr 19 19:05:14 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

I have tried unclicking some of the packages to be installed, but none of the attempts has been able to get past the package it's complaining about. I even tried, several times, unclicking everything but one upgrade but the problem persists. The error popup shows:

desktopcouch desktopcouch-ubuntuone libmission-control-plugins0 pidgin-otr python-desktopcouch-application python-desktopcouch-records telepathy-mission-control-5 ubuntu-minimal ubuntu-standard update-manager update-manager-core vim-common vim-tiny

Also, for some reason, it is not prompting me for my password any more. I hope this is a bug, not a security problem.

Thanks,

Revision history for this message
normcf@gmail.com (normcf) wrote :

Well, I ran the "check" for new updates and there was a change in the list (exactly what I cannot tell), but this time updates happened. Sorry to wake up this old thread.

Revision history for this message
rduke15 (rduke15) wrote :

Same problem in 12.04 LTS: cannot install updates from an unsigned repository.

"apt-get upgrade" prompts, and lets the user decide whether to install or not:

    WARNING: The following packages cannot be authenticated!
         unsigned-package1 package2 etc.
    Install these packages without verification [y/N]? y

Update-manager should have a similar behaviour:

- Either give the option to upgrade the package(s) without verifictaion

- Or upgrade the other (authenticated) packages, and tell the user that the unauthenticated package(s) should be upgraded by running "apt-get upgrade" at the command-line.

Revision history for this message
Jussi Lind (jussi-lind) wrote :

I just run into this on 12.10. Why does this horrible usability issue still exist? :)

Revision history for this message
assassini (assassini) wrote :

This still happens on 13.04!

tags: added: precise quantal raring
tags: added: trusty
Revision history for this message
guillaume ramelet (guillaume-ramelet) wrote :

Do you think we can ask debian.slimdevices.com maintainers to add a pgp key ?

For a reason the stable version of logitechmediaserver doesn't work here with trusty, I use testing version then. My point is that I have to update the package quite frequently (once a week), and have to use a keyboard for it. (not quite convenient, this is an htpc)

tags: added: utopic
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.