2

(this is a rewrite of the original question as suggested in the comments)

I'm running Ubuntu 22.04 and am using firefox from the mozillateam ppa. My setup has ppa-firefox at priority 1001 (as suggested here) and my snap-firefox at priority 500 (default). Today, unattended-upgrades silently replaced my ppa-firefox with snap-firefox and I have trouble figuring out why.

I managed to reinstall my ppa-firefox with a simple apt-get remove firefox; apt-get install firefox so I suspect the priorities are working, but unattended-upgrade somehow didn't respect them. The question is why?

Here's my ppa-firefox app-pin:

$ cat /etc/apt/preferences.d/mozilla-firefox
Package: *
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 1001

Here's my current apt-cache policy after reinstalling firefox:

# apt-cache policy firefox
firefox:
  Installed: 120.0+build1-0ubuntu0.22.04.1~mt1
  Candidate: 120.0+build1-0ubuntu0.22.04.1~mt1
  Version table:
     1:1snap1-0ubuntu2 500
        500 http://de.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
 *** 120.0+build1-0ubuntu0.22.04.1~mt1 1001
       1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu jammy/main amd64 Packages
        100 /var/lib/dpkg/status

The unattended-upgrades-log admits it:

$ grep 'Unpacking firefox' /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
Unpacking firefox (1:1snap1-0ubuntu2) over (119.0.1+build1-0ubuntu0.22.04.1~mt1)

(See also here, and here)

EDIT: I have since given priority -1 to both snap and snap-firefox, as suggested in comments and answers to the questions above. So, I suppose this is fixed, but the question why unattended-upgrades replaced my ppa-firefox in spite of its higher priority (1001 > 500) remains open.

igel
  • 167
  • If you use the PPA without additional pinning in APT, the DEB package from the Ubuntu sources is always prioritized over other sources. Please edit your question and add information whether you applied pinning in APT or not. – noisefloor Nov 17 '23 at 09:55
  • Hm apt-cache policy firefox please. – nobody Nov 17 '23 at 10:08
  • Sorry I don't have an apt-cache policy firefox from when it happened and the one I did now after re-installing firefox looks as expected. – igel Nov 17 '23 at 10:34
  • 1
    Check my answer on how to prevent snap running havoc. I removed snap completely because I chose Linux and not windows with its redundant exe files. – kanehekili Nov 17 '23 at 12:40
  • @kanehekili thanks for the link. On the linked website https://fostips.com/ubuntu-21-10-two-firefox-remove-snap/ it says to give snap-firefox Priority -1 since Without this section, Firefox will go back SNAP once you disabled/removed the PPA and run system update. However, neither did I disable/remove the PPA, nor did I run system update. The second point has since cleared up (it's unattended-upgrades) but the first is still confusing me. – igel Nov 17 '23 at 13:00
  • 2
    Please take a look at this answer, look for the sentence To ensure that unattended upgrades do not reinstall the snap version of Firefox,... and the following command which you probably didn't run. – mook765 Nov 17 '23 at 13:32
  • @mook765 that's a great answer there, thanks for the link. Indeed I did not tell unattended-upgrades to not reinstall snap-firefox because I didn't know about unattended-upgrades :) – igel Nov 17 '23 at 13:37
  • @user535733 thanks for your thoughts. Regarding title, ubuntu did install software that I did not want and the question relates to this title: I am asking what mechanisms Ubuntu has to install things I don't want, so the title is true and relevant. App-Pinning just triages the one example I gave here.

    I am removing the line regarding snap and I apologize.

    Finally, could you explain how installing something that I explicitly uninstalled and rendering my browser unusable is not nefarious? In the Windows world, this behavior is considered nefarios, why would it not be in the Linux world?

     – igel Nov 17 '23 at 13:45
  • Most probably you only thought you were using ppa/deb Firefox when it was snap. You cannot do that until you do what you were instructed here. The PPA changes nothing. Snap Firefox comes as default and stays until you disable it. I had exactly the same problem.For the moment it is the only important application that comes as snap already installed, so I still use snap for rare programs, but Firefox I simply run it locally (unpack and run), it updates itself. Or: https://support.mozilla.org/en-US/kb/install-firefox-linux#w_local-firefox-installation-in-users-account. – cipricus Nov 17 '23 at 14:31
  • 1
    @cipricus I excluded this possibility because snap-firefox cannot use my profile, so when my profile comes up, I know it's ppa-firefox. This was my initial problem with the automatic "upgrade" to snap-firefox: it could not launch. Further, the unattended-upgrades-log that I pasted in the question confirms that my ppa-firefox was indeed silently replaced with the snap-firefox. – igel Nov 17 '23 at 14:35
  • Well, it was just a hint, I cannot say I understand snaps or flatpak, I have both installed with a few programs (Kodi and ScanTailor as flatpak, VLC4 as snap) but Discover (Kubuntu) acts as if these were not enabled. I prefer appimages. I am glad to see that LibreOffice promotes them. – cipricus Nov 17 '23 at 14:41
  • The title of your question is anyway a bit odd. How can one tell what programs you don't want? If you are interested in understanding what automated installation mechanisms Ubuntu uses by contrast to other systems if any, you should ask a specific question, given that the snap/Firefox topic is already confusing. – cipricus Nov 17 '23 at 14:47
  • The edits have much improved the question. Thank you for improving the question. – user535733 Nov 17 '23 at 14:50
  • "restart firefox to continue browsing because of an update" suggests that you were perhaps already running the Snap version...but didn't realize it. In other words, not a new problem but an old problem that you coincidentally just discovered – user535733 Nov 17 '23 at 14:54
  • 1
    @user535733 but the unattended-upgrades-log I pasted in the question says it replaced ppa-firefox with snap-firefox. – igel Nov 17 '23 at 14:57
  • @cipricus I suppose you're right, I should probably make a concise question about automatic installation and delete this question here. However, to answer your question: it is very simple to know what I want: every X for which I said "apt-get install X" in the past + everything required for it to run. Neither snap nor snap-firefox qualifies. – igel Nov 17 '23 at 14:58
  • No need to delete here, change its title to fit the FF-snap specificity (remove opinionated views about hidden intentions), ask a different one on what goes behind the counter if the case. – cipricus Nov 17 '23 at 15:00

2 Answers2

3

The unattended-upgrades-tool is configured by default to upgrade packages only from the distribution's repositories. You can take a look at the configuration file /etc/apt/apt.conf.d/50unattended-upgrades.

The unattended-upgrades-tool does not know about packages from third party repositories unless you add them to the configuration file or add an extra configuration file which includes them.

Example for firefox:

echo 'Unattended-Upgrade::Allowed-Origins:: "LP-PPA-mozillateam:${distro_codename}";' | sudo tee /etc/apt/apt.conf.d/51unattended-upgrades-firefox

If you don't add the repository to the configuration, the pinning you mention is worthless since the unattended-upgrades-tool does not know about the package and also don't know about its pinning.

That's why your firefox-package from the ppa got upgraded to the transitional firefox package from the ditibution repository which then pulls in the snap and all necessary dependencies like snapd. It's only a question of version numbers in this case.

Reference

terdon
  • 100,812
mook765
  • 15,925
2

The entry for pinning is not enough, you need to de-prioritize the DEB package from the sources as well.

The following steps should work:

  • uninstall the Firefox installed via the PPA (if still present).
  • disable the PPA
  • uninstall the Firefox from the sources:
    • sudo apt remove firefox
    • sudo snap remove firefox
  • create a file like mozillateam under /etc/apt/preferences.d
  • add the following content to the file:
Package: * 
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 100

Package: firefox*
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 1001


Package: firefox*
Pin: release o=Ubuntu
Pin-Priority: -1
  • add the Mozilla PPA again
  • sudo apt update
  • install the Firefox - should be pulled from PPA now
noisefloor
  • 1,086
  • My apt-get install firefox did pull firefox from the ppa and it was working before something on the system decided to overwrite my working firefox with the snap-version.

    My question was what mechnisms were used to install the wrong firefox without my consent and I don't see this answered in your post.

    I do understand that marking the snap-firefox with prio -1 will essentially forbid installing it and that's what I did after the incident, but it doesn't answer the question.

     – igel Nov 17 '23 at 10:27
  • 1
    Of course it does answer your question. You added a second source to you system, but the first source, the DEB package from the Ubuntu sources installing the snap, has still higher priority. So as soon as an updated version is available in the Ubuntu sources, the snap will be installed again / updated. This is the standard behaviour when running apt upgrade - either manually or automatically by the system. – noisefloor Nov 17 '23 at 10:39
  • 1
    Maybe phased updates. like here https://askubuntu.com/questions/1413293/preventing-snapd-installation-with-a-negative-pin-priority-no-longer-works/1413412#1413412 – nobody Nov 17 '23 at 10:40
  • @noisefloor my apologies, if your answer does indeed answer What hidden mechanisms does Ubuntu have to install software without my consent then I still don't get it. – igel Nov 17 '23 at 12:05
  • @noisefloor but the first source, the DEB package from the Ubuntu sources installing the snap, has still higher priority - did I get that right that a priority of 500 is considered "higher" than a priority of 1001? Further, if the DEB still has higher priority, why did apt-get install firefox pull the correct firefox from the ppa? I don't get it... – igel Nov 17 '23 at 12:13
  • I'm not sure about all the details on "which where when" apt pinning pulls which priority. But the tutorials and recommended procedures I know all recommend apt pinning as above. And from feedback of users on the German support platform ubuntuusers.de the above works for sure. – noisefloor Nov 17 '23 at 12:20
  • @nobody thanks for the link. As far as I understood from https://askubuntu.com/questions/1431940/what-are-phased-updates-and-why-does-ubuntu-use-them phased updates just mean that some users get a new package version sooner than others. That doesn't seem to explain how packages get onto the system without me knowning about it. – igel Nov 17 '23 at 12:22
  • I had same thing, using Firefox ppa. And Firefox came right back. I have no snaps and still have no snaps. Firefox did update this morning with my houseclean & update script that I normally run every day. I have changed setting as suggested. https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt-ubuntu-22-04 – oldfred Nov 17 '23 at 15:17
  • 1
    When phased updates are active packages where are in phase get the pin priority 1 – nobody Nov 17 '23 at 15:55
  • @nobody ooooh, I understand. The apt manpage reads like this is supposed to "hold back" the package but practically may have the opposite effect it seems ^^ – igel Nov 17 '23 at 16:13
  • @nobody wait, but 1 is still strictly smaller than 1001, so how does that lead to the installation of the 500-prio snap-firefox over the 1001-prio ppa-firefox? – igel Nov 17 '23 at 16:24