Downgrade is the new upgrade
Downgrade is the new upgrade
Posted Dec 22, 2011 3:09 UTC (Thu) by dlang (guest, #313)In reply to: Downgrade is the new upgrade by jrw
Parent article: Ubuntu disabling the Sun Java JDK browser plugin
So Canonical has the options of leaving it in place and having the desktops hacked, or removing it.
the upgrade process doesn't have the ability to do the type of notification that you would like, I'll bet that if you were to dig down into the system to see what was upgraded with the new package, it would tell you exactly what was going to happen and why.
but nobody bothers to read those details.
Posted Dec 22, 2011 3:47 UTC (Thu)
by jrw (subscriber, #69959)
[Link] (11 responses)
After the update broke my java, my research did discover this rationale. However, if I had been given the choice, I would have had no qualms about leaving the active/exploitable security holes in place on my personal desktop, which I keep relatively tight control over, rather than having java removed altogether and losing a critical application.
> So Canonical has the options of leaving it in place and having the desktops hacked, or removing it.
My complaint is with my not being given this choice. Canonical made this choice for me. And consequently broke my system in a way that cost me 3-4 hours to fix at an inconvenient time. Not happy about having to deal with that. Luckily for me, I didn't have an immediate critical need to use Netilla to remote into the servers I am responsible for, or I would have had to drive to the office in the middle of the night.
> the upgrade process doesn't have the ability to do the type of notification that you would like
I'm aware of this, but I'm not happy about it. Using the mechanism they do have available (an upgrade), they deliberately broke my desktop, in a way that had ramifications to me they couldn't possibly have understood. I wrote this post and several others on the ubuntu forums and bugs.launchpad to bring attention to this issue.
> I'll bet that if you were to dig down into the system to see what was upgraded with the new package, it would tell you exactly what was going to happen and why. but nobody bothers to read those details.
If I knew where to find this information, I would read it. If they had provided me a warning, in advance, that I was about to disable part of my system, I would have read it. If they had given me a choice, I would have made the right one for me. For me, a large part of the linux/unix culture is all about choice. I like many things about the way upgrades are handled in Ubuntu, especially how the user is given a meaningful choice about when/if to take an upgrade. But I think they dropped the ball on this one.
Hopefully, Canonical (and other distributions) will improve their tools so that they can offer such a choice in the future. I detailed what I believe is the right way of handling a priori known breakage (give the user an informed, in-your-face, choice). I also noted that some kind of checkpoint system would be very helpful in dealing with updates. I would love to see an auto-checkpoint updating system that allows me to roll back an update. I have had occasion to wish for it several times in the past.
Posted Dec 22, 2011 5:31 UTC (Thu)
by dlang (guest, #313)
[Link] (6 responses)
what tool do you use to do your upgrades? every one of the GUI tools I have seen allows you to look at each package being upgraded and see the description of the package.
> I also noted that some kind of checkpoint system would be very helpful in dealing with updates. I would love to see an auto-checkpoint updating system that allows me to roll back an update. I have had occasion to wish for it several times in the past.
this is something that many people would like to see, but actually implementing it is very hard, and can take a non-trivial amount of storage to do so (and how do you decide how long to keep this?)
If you really want this, run your system on top of LVM and take a snapshot just before you upgrade so that you can revert back to it.
Posted Dec 22, 2011 6:16 UTC (Thu)
by jrw (subscriber, #69959)
[Link] (5 responses)
> what tool do you use to do your upgrades? every one of the GUI tools I have seen allows you to look at each package being upgraded and see the description of the package.
I misread your original comment here. I use Update Manager and I have never found its detailed information useful. In this case I didn't read the detailed information. I browsed through the list of things to be updated, didn't find anything especially interesting in the list of packages, and authorized the update. I didn't find out until I rebooted one or two days later and tried to use Netilla that java had been removed.
What I'm asking for is something in-your-face when there's an expected loss of functionality. When there's a security fix, it should stand out as a danger if you don't accept the update. When there's an expected downgrade, it should stand out as a danger if you do accept the update.
>> I also noted that some kind of checkpoint system would be very helpful in dealing with updates. I would love to see an auto-checkpoint updating system that allows me to roll back an update. I have had occasion to wish for it several times in the past.
> this is something that many people would like to see, but actually implementing it is very hard, and can take a non-trivial amount of storage to do so (and how do you decide how long to keep this?)
I would think that the bulk of what I'm looking for could be achieved by just keeping the previous packages around so they can be reapplied. If a rollback is required, remove the packages that have been added and reapply the packages that have been removed.
> If you really want this, run your system on top of LVM and take a snapshot just before you upgrade so that you can revert back to it.
Perhaps LVM could be helpful here, if the LVM snapshot could be applied to just the OS partitions. Do you know of a How To for using LVM snapshots to rollback OS updates?
Posted Dec 22, 2011 6:57 UTC (Thu)
by dlang (guest, #313)
[Link] (1 responses)
so when you upgrade to GNOME 3 it should warn you that you are about to loose a lot of functionality?
somehow I don't see this taking place.
remember that every upgrade can contain regressions for somebody under some conditions.
Ubuntu does mark some upgrades as being security related. I generally use the command line not the GUI tools, so I can't point you directly at the place to look, but what I remember seeing in passing is that when presented with the list of packages to upgrade, there is a category of security patches.
> I would think that the bulk of what I'm looking for could be achieved by just keeping the previous packages around so they can be reapplied. If a rollback is required, remove the packages that have been added and reapply the packages that have been removed.
you are overestimating the smarts of the packaging tools.
a package contains several pieces, the bulk of the package is the files to install on the system.
However the complicated part of the package are the parts that prepare the system, or change the system as part of the upgrade (frequently modifying config files). These are scripts that can do anything to the system, but these scripts only know about the version of the software that's you are installing (or uninstalling for scripts that make changes when you uninstall a package), they don't know what version used to be on the system, and they cannot possibly know about what changes a newer version may have made to config files to convert them back.
This makes a package based upgrade backout _extremely_ hard to do, and given that a large percentage of upgrade problems have to do with failures of these scripts (not converting config files perfectly), relying on them to be perfect in doing a downgrade is silly.
you may be thinking "well, just make backup copies of the config files then", but this isn't limited to config files, this process can modify _anything_ on your system, databases, files, directories, ANYTHING. This is why installing packages from an unknown source can be so dangerous.
Posted Dec 22, 2011 8:03 UTC (Thu)
by jrw (subscriber, #69959)
[Link]
Also, I'm certainly aware that regressions can happen at any time and there's always some risk when updating. In fact, not so long ago, one of those regressions occurred for me during an upgrade and broke the same application (Netilla). I was not happy about that either, but I believe that it was an accidental regression. It was fixed a few days later.
In this case, the regression was well known (by the package maintainers) in advance, and in fact, the entire reason for the update was to effect a regression! That's what makes this case different and worth discussing.
As to the possibility of restoring previous versions of packages, I believe it would be a welcome step forward if the user could just retrieve and reinstall the exact previous version of the packages he just updated, in the case of a detected regression. That still seems doable in the vast majority of cases. I do understand that in some exceptional cases the changes wrought by a newer package could be so far reaching as to make recovery by reinstallation of the older package unworkable.
I'll have to look into using LVM as a checkpoint mechanism to be able to revert failed updates. But if it can't be scripted up pretty easily, it won't be worth it.
Posted Dec 22, 2011 11:35 UTC (Thu)
by nix (subscriber, #2304)
[Link] (2 responses)
Posted Dec 22, 2011 13:33 UTC (Thu)
by jrw (subscriber, #69959)
[Link]
Posted Dec 22, 2011 21:29 UTC (Thu)
by JanC_ (guest, #34940)
[Link]
Posted Dec 22, 2011 5:41 UTC (Thu)
by raven667 (subscriber, #5198)
[Link] (3 responses)
Posted Dec 22, 2011 5:58 UTC (Thu)
by jrw (subscriber, #69959)
[Link] (2 responses)
Posted Dec 22, 2011 6:58 UTC (Thu)
by dlang (guest, #313)
[Link] (1 responses)
Posted Dec 22, 2011 7:27 UTC (Thu)
by jrw (subscriber, #69959)
[Link]
As has been pointed out elsewhere, there are packaging techniques which allow for dynamically loading third-party hosted software when the outer package is installed. That may be the only remaining alternative if there's any interest in keeping these packages alive. In my case, I can download and install them manually, so that would only be a small convenience to me.
Posted Jan 27, 2012 19:50 UTC (Fri)
by mfedyk (guest, #55303)
[Link]
> remember that the existing version of java has security holes that are currently being exploited.
Downgrade is the new upgrade
Downgrade is the new upgrade
>> If I knew where to find this information, I would read it.
Downgrade is the new upgrade
Downgrade is the new upgrade
Downgrade is the new upgrade
Downgrade is the new upgrade
What I'm asking for is something in-your-face when there's an expected loss of functionality.
The irony is that text-mode updates have had this for something like ten years, thanks to apt-listchanges' NEWS-file reporting. Graphical package managers don't seem to have caught up.
I'll have to look into scripting a replacement using apt/dpkg. Thanks for the heads up!
Downgrade is the new upgrade
Downgrade is the new upgrade
Downgrade is the new upgrade
I'm not complaining because they put out an update. I'm glad they put out security updates. I'm complaining because their update was a downgrade, and they didn't tell me about it in advance, so I could skip it, and they didn't provide me any way to restore the packages after they had been neutered.
Downgrade is the new upgrade
Downgrade is the new upgrade
Downgrade is the new upgrade
Downgrade is the new upgrade