To be clear, it’s not about rebuilding packages “with a dependency on xz/lzma”. By and large, those packages are dynamically linked to liblzma, so rolling back the liblzma library itself is sufficient to address any runtime impact of liblzma.
However, the compromised liblzma and xz-utils were present in the build environment of every amd64 package built since February 26. And both apt and dpkg link to liblzma. Since analysis by security researchers of the compromised payload is still ongoing and we don’t know what other tricks might be included in addition to the sshd backdoor, out of an abundance of caution we are treating all amd64 binaries built while this compromised liblzma was installed as “tainted” and are in the process of rebuilding.
Expect a more detailed explanation to be published in the next couple of days (possibly not until after the holiday weekend).
I am trying to install dolphin in Noble, and get errors like the following. It seems that many dependencies have updated version, but the packages that depend on it have not been updated.
$ sudo apt install dolphin
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
dolphin : Depends: libdolphinvcs5 (= 4:23.08.5-0ubuntu1) but 4:23.08.5-0ubuntu2 is to be installed
E: Unable to correct problems, you have held broken packages.
I am encountering similar errors in qt based packages like Octave and Kalzium.
Would this be connected too?
This error could be caused by required additional software packages which are missing or not installable. Furthermore there could be a conflict between software packages which are not allowed to be installed at the same time.
Transaction failed: Package dependencies cannot be resolved
The following packages have unmet dependencies:
init: systemd-timesyncd: Depends: libsystemd-shared (= 255.4-1ubuntu6) but 255.4-1ubuntu6 is to be installed
The Noble archives are in a changing state and have been for a while with the time_t transition. Now they’re in a similar—if not worse—state with a security bug whose impact is not fully understood. Personally, I’d avoid using any Noble installs right now. When everything is well known and the archive is in a manageable state, and ISOs start building again, then I would make a new install and carry on like normal.
The one thing I’d absolutely advise: don’t use Noble in production right now.
This topic is for sharing constructive information about the problem, status of solutions, and relevant questions and discussion. Questions to help folks understand are on-topic and welcome.
This is not a topic for general complaints. Off-topic items will be removed to keep this conversation on-topic.
Folks who are frustrated that Noble isos aren’t working for them today: Please understand that everybody already knows, and that everybody already agrees with you.
I appreciate all the effort being done to ensure things are done correctly instead of done quickly. I’ll happily wait for all this work to complete considering the XZ issues.
For example if you look at libarchive13, libarchive-dev and libarchive-tools packages in Noble they all have: arm64 armhf i386 ppc64el riscv64 s390x and no amd64.
As stated in the IRC snippet by vorlon quoted earlier in this thread, amd64 binaries built when the affected xz-utills was in -proposed have been deleted. These will be replaced by doing rebuilds of those packages, which is in progress but not yet complete.
This snipped from the latest update on the xz security issue should hopefully give a more clear indication of the massive overhaul that is happening in the Noble repos right now:
New here. Joined after finding this post when I set out to see why the upgrade included so many i386 packages instead of amd64 ones. Seems like I’ll have to wait for a while now.
I discovered it yesterday when I decided I wanted to install 24.04 and try it out, but I couldn’t install anything I actually use (GIMP, libreoffice, etc etc etc). I came on this thread as the problem for all the missing packages and broken dependencies.
I’m sure that rebuilds are well underway, my question is will this delay the release on 4/25?
