How to trace the origin of how updates make it into my Ubuntu machine?

Asked Aug 30 '15 at 21:27

Active Sep 07 '17 at 06:07

Viewed 568 times

How do I find the full "community history" of how the updates listed by "software updater" made it into my Ubuntu machine?

The question is for the general workflow to obtain the "community history" of updates, not the "community history" of all updates available.

What I am after is for example

Patch(es) related to the update on mailing list(s)
Community discussions about the update
Source code related to the update
Git commits related to the update
People responsible for the update
How does software updater know which repositories to fetch updates from?
If software updater finds updates for a specific package in different repositories, but one is older and the other is newer, how does it select?
etc

Background:
It seems about once or a couple of times each week the "Software updater" displays:

Updated software is available for this computer. Do you want to install it now?

From what I understand, these updates are the same as SRUs - Stable Release Updates? Or are only updates from Canonical/Ubuntu called "SRUs", while non-Canonical/Ubuntu updates are not called SRUs?

Here is a screenshot of my "Software Updater", how do I for example find the "community origin" (patch(es), discussions, etc, if any) of the Chrome update (Available version: 44.0.2403.157-1) which is highlighted in the screenshot? Then when this update is installed, where do I find info about it on my machine?

How do I list all the updates installed on my machine and how do I list all the available updates that are not yet installed?

The suggested duplicate of "Show apt-get installed packages history via commandline?" asks about listing packages installed, my question is about updates and how to trace the origin of the updates and how they make into my Ubuntu machine.

edited Sep 07 '17 at 06:07

Zanna

70,465

asked Aug 30 '15 at 21:27

Markus

2 Answers2

First off, an important clarification:

The terms "Stable Release Updates" and "Security Updates" (don't forget them!) apply to packages in main, universe, restricted and multiverse. PPAs or other third-party repositories may have their own release schedules and policies. In your screenshot I see "google-chrome-stable" -- this is not a Ubuntu package and it does not follow the Ubuntu release schedule.

Having said that, here's what you asked for:

For every Ubuntu update, the point of reference is the Launchpad bug. This is where you can find most of the information related to the problem(s) and solution(s).

You can get the bug numbers by checking the changelog of each package. For example, as of writing, this is the last entry from apt-get changelog nautilus:
```
nautilus (1:3.14.2-0ubuntu9.1) vivid; urgency=low

  * debian/patches/ignore-no-desktop-if-not-first-launch.patch:
    - Don't shut off the desktop when external application calls nautilus
      --no-desktop on a running GNOME desktop. (LP: #1453655)

 -- Chow Loong Jin <hyperair@debian.org>  Wed, 24 Jun 2015 11:50:03 +0800
```
As you can see, the log entry refers to bug #1453655.

For security bugs, generally the bug report is private (to prevent malicious people from accessing critical information) and, generally, instead of the Launchpad bug number you'll find the CVE number.
Patches applied by Ubuntu (or by Debian) are in the source package, in the debian/patches directory. If you want to download the source packages for Nautilus, use apt-get source nautilus.

If a Stable Release Update or a Security Update introduces a new version of the software (e.g. a new version of Firefox), you'll have to look upstream for the full delta.

Not all package sources are available under version control (git, hg, bzr, ...).
Discussion generally happen on Launchpad. If necessary, the ubuntu-devel mailing list may be used too.
People responsible for updates are the people who provide the updates (package maintainers or contributors), the Ubuntu SRU Team and the Ubuntu Security Team.

Note that not all of these people are Canonical employees. Be kind and don't forget those contributors who use their spare time to maintain stability and security in Ubuntu :-)
The process for Stable Release Updates and Security Updates is documented on the Ubuntu Wiki: https://wiki.ubuntu.com/StableReleaseUpdates and https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

edited Sep 11 '15 at 08:16

answered Sep 08 '15 at 12:22

Andrea Corbellini

15,826

Thank you for your answer! So when "software updater " pops up with a list of updates as in the screenshot, how do I know which updates are non-ubuntu updates and where they come from? I guess an idea would be to add this info to "software updater " to make it easy accessible, if it isn't already? – Markus Sep 10 '15 at 02:20
1

@Markus: from the software updater window, I don't know. From the command line: apt-cache policy package-name. This will list all available versions of the package and their origin (the package with the highest version is the one that is going to be installed). – Andrea Corbellini Sep 11 '15 at 08:16
Thanks again! On the contrary, how do I list all updates in my system which do not originate from software updater? I guess it is possible that I or someone "manually" installs updates, for example a newer kernel version, or a newer version of some other package - how do I list all these "manual" updates? – Markus Sep 11 '15 at 09:07
1

@Markus: not sure I have understood your question. However, if you want to see the history of all packages that have been already installed or upgraded or removed, check /var/log/apt/history.log and /var/log/dpkg.log. Note though that if security is your concern, and if somebody can install/upgrade arbitrary packages, then these logs (as well as other files) can be compromised. – Andrea Corbellini Sep 11 '15 at 09:39
I'll try to clarify my question: Let's say I have an Ubuntu 14.04 machine with all latest updates installed. However, there is a newer version of package "x" (for example thunderbird) available in the community, but "software updater" does not automatically "give" me this newer version. Then, as far as I understand, I can install this newer version, but I can't use "software updater" for the install. The questions is: how do I list all the packages which have newer/other versions than what is provided by "software updater"? – Markus Sep 11 '15 at 11:44
1

@Markus: if you install software without using a package manager, then it's your responsibility to keep track of them. Ubuntu's Software Updater, APT, dpkg only know about packages in the repositories. – Andrea Corbellini Sep 12 '15 at 11:31
How/where does "software updater" check for updates? Does "software updater" read /etc/apt/sources.list to find all repositories it should look for updates in? Or does it use some other mechanism? If I add a line in /etc/apt/sources.list that points to a repository which has a newer version of "thunderbird (email program)" than what is provided by my Ubuntu 14.04 version, how can I afterwards check that I am using a newer version of "thunderbird" than what is provided by Ubuntu 14.04? – Markus Sep 15 '15 at 08:28
Also, how do I list all the available updates not installed on my machine?
For example the following page seem to contain a list fixes https://wiki.ubuntu.com/TrustyTahr/ReleaseNotes/ChangeSummary/14.04.3
How do I compare this list with what I have in my Ubuntu 14.04.3 machine in order to find any diff, in an automated way? Or is something similar usually done in a different way?
– Markus Sep 15 '15 at 12:51
1

"Software Updater" is a frontend to APT, so yes: it uses /etc/apt/sources.list and related files. It works by querying the sources listed in /etc/apt/sources.list and validating the responses using GPG signatures. To check whether you are using the official package or not, use apt-cache policy. To list packages that can be upgraded, use apt-get -u upgrade. About the ChangeSummary: please open a new question (and maybe link it here in the comments, so that I can provide an answer). – Andrea Corbellini Sep 15 '15 at 15:16

Regarding linux kernel, you can look into the kernel git and see all commits.

Regarding other packages, in most cases there is a launchpad bug link in changelog.

You can see the history of updates in /var/log/apt/history.log

For each package you can get a changelog by

apt-get changelog <package_name>

You can follow that link and see the history of that bug.

Regarding packages provided by 3rd parties, like Google Chrome and PPAs, there is no specific way to get this information. It can be available or not. It depends on 3rd parties.

Google Chrome is provided by Google and Ubuntu community is not involved. You can ask at Google support sites if this information is available. I am not sure that it is.

You can see how SRU works at Ubuntu wiki

edited Sep 03 '15 at 14:10

answered Sep 01 '15 at 11:29

Pilot6

90,100
91
213
324

Thanks for your answer, what I am after is some kind of general way of obtaining the SRU origin. I guess somebody in the Ubuntu community is responsible of each Ubuntu SRU?
Which "changelog" are you referring to?
– Markus Sep 01 '15 at 11:42
1

If you click some other package, not google-chrome, you will see changelog. There is always a bug link there. Regarding google-chrome, no one in Canonical is responsible for that. – Pilot6 Sep 01 '15 at 12:52
Ok thanks. Regarding google Chromegoogle-chrome, I understand that Canonical does not develop it, but I would guess someone in Canonical is responsible for bringing it in? Where do I find info about the "bringing it in "process for tid particular case? – Markus Sep 01 '15 at 13:04
1

Canonical does not "bring it in". You install it using a deb file from google site, and updates are made from google repositories. – Pilot6 Sep 01 '15 at 13:06
Ok, so for google-chrome there is no involvement from Canonical in the path of an SRU from google to my machine? However, I guess there are lots of updates (SRUs) where Canonical is involved and decides whether to create an SRU or not? How does this "process" work? – Markus Sep 02 '15 at 13:18
I added a link to the answer. – Pilot6 Sep 02 '15 at 13:25
Thanks, I have seen the content of this link, however, in general, how do I apply that to the original question "How do I find the full "community history" of how the updates (SRUs) listed by "software updater" made it into Ubuntu?" I would like to have full traceability of all SRUs before I accept installing them on my machine. – Markus Sep 02 '15 at 15:21
1

I already answered this. You can find a launchpad bug number in the changelog and open it there. You will see who reported the bug, comments there and who fixed it. – Pilot6 Sep 02 '15 at 15:23
Ok, thanks. How about all the SRUs I have "applied blindly" just by clicking accept, is there some way of listing those on my machine and review the "community history" of each SRU? I guess the "launchpad bug number" could/should be available somewhere on my machine for all the SRUs already installed? – Markus Sep 03 '15 at 06:49
1

I added that too. – Pilot6 Sep 03 '15 at 08:46
Thanks a lot for your help, starting to understand the workflow. In addition, to see which repository an SRU is installed from, command(s) provided in the following link can be used: http://askubuntu.com/questions/8560/how-do-i-find-out-which-repository-a-package-comes-from For example, the following command can be used for google-chrome-stable: apt-cache policy google-chrome-stable – Markus Sep 03 '15 at 13:40
I think you can remove the "This question is too broad if you want to get information of all packages." in the answer - I updated the question that it is not what the question is about. – Markus Sep 03 '15 at 14:06
Also, do you have any answer to the question regarding whether the updates listed by "Software Updater" are the same as SRUs?
"From what I understand, these updates are SRUs - Stable Release Updates?"
– Markus Sep 03 '15 at 14:14
1

If you ask about Ubuntu packages, then yes, they came through SRU procedure to get to updates. Third party packages from PPA or other repositories have their own procedures. – Pilot6 Sep 03 '15 at 14:16
Thanks for your help! How do I know if an update listed by "Software Updater" is an Ubuntu SRU? Do Ubuntu SRUs always have a changelog appended to the SRU? – Markus Sep 03 '15 at 14:22
Any idea regarding the previous question? – Markus Sep 04 '15 at 12:26