Auto-Updater: Requires installation of untrusted packages

Question

In the recent week or so, I get the above message when letting the auto-updater run from the UI. The message goes on to say: "This requires installing packages from unauthenticated sources". I read that it is recommended to apt-upgrade. But I had not found any explanation why this is the intended solution.

I would like to understand the process of auto-update releases, in regards to why does it require the apt-upgrade right now, before I touch my otherwise very stable system that way. I do not recall updates requiring this for my system in the last few years.

Ubuntu 14.04 LTS.

Thanks!

Did you add any other repositories for example if you installed any third party software? — MofaSofa, Mar 29 '15 at 01:17
Of course, but nothing recently, that could explain why this shows up now. — matanox, Mar 29 '15 at 07:45
I'm guessing you have seen http://askubuntu.com/questions/117015/require-installation-of-untrusted-packages-while-upgrading-with-the-update-man? — Seth, Mar 31 '15 at 02:23

score 0 · Answer 1 · edited Mar 31 '15 at 02:24

To understand why this happens, one should first understand how stock apt (that is, apt without any priorities set), works. Let's say you want to run an upgrade using apt upgrade (I assume this is what you mean by apt-upgrade, since I cannot find any info on apt-upgrade): first, apt will check the local versions of all installed software with remote versions in a repository and see if there even needs to be an upgrade of packages. To demonstrate, let's create a hypothetical scenario in which 1 package, sayhello, needs to be upgraded.

Here's an imaginary changelog:

sayhello 1.1 now depends on libhello (>= 1.0) to print "hello."

Now imagine you have two sources listed in your sources.list, one being the stock Ubuntu repos, and another being Jim's amazing taco repo.

Jim's repo contains these 3 packages:

jimplayer 2.5 (No depends)
jimsbetterhello 1.0 (Depends on libhello (>= 2.0))
libhello 2.0 (No depends)

You only used this repo to install jimplayer a while back, but later on it seems that Jim decided to add jimsbetterhello to the repository. Now here's where things get interesting...

Ubuntu's repos still use libhello 1.5 for compatibility reasons (as some packages don't work on the new libhello version yet)

Now, when apt goes to upgrade sayhello, it runs into a conundrum. There are 2 versions of libhello it can install! Which one should it chose? Well, by default apt will chose the latest version of a package that doesn't conflict with other currently installed packages. Now, normally this process is transparent to a user, but if you haven't added the GPG keys for a third-party repository, or the keys changed or some other thing, even though you installed sayhello from the default Ubuntu repositories, libhello 2.0 is going to be an untrusted package, and apt is going to warn you about that. This is just one of the many different permutations of why apt could be warning you about this. It could also be due to missing packages only available in a third-party repository you have added. The best workaround is to set the default repositories to a higher priority, as well as prune any unnecessary third-party repoitories without their keys added to the trusted keychain.

Nice answer, admittedly leaving any explicit path to resolve the issue to google search. — matanox, Apr 04 '15 at 23:52

Auto-Updater: Requires installation of untrusted packages

1 Answers1