Internal ID | FO067 |
---|---|
Title | Phased updates group |
Status | Pending Review |
Authors | @juliank |
Type | Standard |
Created | 2022-06-23 |
Abstract
Phased updates roll out updates in stages. Sometimes two updates depend on each other, like shim-signed and grub2-signed, or evolution and evolution-data-server. At the moment, a machine might be eligible for one of them and then try to remove the other. In general, if both updates are seeded at e.g. 10% the probability of installing both of them would be less than 10% which is not what we want.
Rationale
Updates currently end up with the wrong probability if split across source packages, and might cause solver breakage, leading to less systems getting the phased update and in the worst case, broken systems.
Specification
Currently APT uses the template ${Source-Name}-${Source-Version}-${Machine-Id}
to seed a random number generator to determine a percentage range. To address the issue at hand, we will make the first part configurable with the introduction of a Phased-Update-Group
field in the Packages
file alongside the Phased-Update-Percentage
field.
This must be a list of source packages and their versions, such as
Phased-Update-Group: package (= ${package:Source-Version}),
other-package (= ${other-package:Source-Version})
However, clients must not parse the value, but only use it to replace the initial part of the random number generator seed.
All binaries produced by the listed source package versions must have the same value for Phased-Update-Percentage
and Phased-Update-Group
, optimally across all pockets if they share the same versions (or no percentage).
Further Information
The first iteration of the specification specified that APT would parse that string, and then calculate the minimum percentage of all packages listed in there. This is technically cleaner, but also requires complex slow code on the client side. For the sake of simplicity, shifting the burden of consistency to the server simplifies things.
One problematic bit is when users have -updates pockets enabled for two releases, which sometimes happen (but is not exactly supported), and the same version is available in multiple releases (e.g. shim is binary copied): The values for Phased-Update-Group
and Phased-Update-Percentage
may end up different. This can cause inconsistent phasing depending on the order of the sources.list entry as only the first entry for a version wins, so if you have focal-updates and jammy-updates and you have shim 1 and shim-signed 1~20.04 and 1~22.04, shim would phase using the focal values, whereas shim-signed would phase using the jammy values.
Mismatches like this would again cause a reduction in probability of both packages being phased at once and might cause the updates to be uninstallable. The behavior will be more similar to what it is now, without such grouping.
APT provides the guarantee in such a case that the package that’s uninstallable will not be removed, as it is marked “keep” and “protected” in the solver. It’s of course always possible the solver (which is greedy and organically grown over 25 years) gets confused or has a bug and breaks (e.g. LP: #1990684.