Bug#1017060: python3-apt: Candidate version returned does not respect policy

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1017060: python3-apt: Candidate version returned does not respect policy
From: Nicolas Karolak <nicolas@karolak.fr>
Date: Fri, 12 Aug 2022 14:25:48 +0000
Message-id: <[🔎] 166031434875.4519.2064074931636579139.reportbug@8d3d19f89f2a>
Reply-to: Nicolas Karolak <nicolas@karolak.fr>, 1017060@bugs.debian.org

Package: python3-apt
Version: 2.2.1
Severity: normal
X-Debbugs-Cc: nicolas@karolak.fr

Dear Maintainer,

I have an internal APT repository proxy/cache (Nexus) that is configured
with a high priority. When i try to install packages with Ansible, that
leverage this library, it tries to install the latest package found
overall my repos instead of the one with the highest priority.

Here are the steps to reproduce.

Add MariaDB repository:

```
# apt-get install apt-transport-https curl ; curl -o /etc/apt/trusted.gpg.d/mariadb_release_signing_key.asc 'https://mariadb.org/mariadb_release_signing_key.asc' ; sh -c "echo 'deb https://mirror.netweaver.uk/mariadb/repo/10.5/debian bullseye main' >>/etc/apt/sources.list.d/mariadb.list"
```

Policy without pinning:

```
# apt policy mariadb-server
mariadb-server:
  Installed: (none)
  Candidate: 1:10.5.16+maria~bullseye
  Version table:
     1:10.5.16+maria~bullseye 500
        500 https://mirror.netweaver.uk/mariadb/repo/10.5/debian bullseye/main arm64 Packages
     1:10.5.15+maria~bullseye 500
        500 https://mirror.netweaver.uk/mariadb/repo/10.5/debian bullseye/main arm64 Packages
     1:10.5.15-0+deb11u1 500
        500 http://deb.debian.org/debian bullseye/main arm64 Packages
     1:10.5.13+maria~bullseye 500
        500 https://mirror.netweaver.uk/mariadb/repo/10.5/debian bullseye/main arm64 Packages
```

Setup pinning to priorize another origin than MariaDB one:

```
# cat /etc/apt/preferences.d/90pin
Package: *
Pin: origin deb.debian.org
Pin-Priority: 1000
```

Updated policy:

```
# apt policy mariadb-server                                                                          
mariadb-server:
  Installed: (none)
  Candidate: 1:10.5.15-0+deb11u1
  Version table:
     1:10.5.16+maria~bullseye 500
        500 https://mirror.netweaver.uk/mariadb/repo/10.5/debian bullseye/main arm64 Packages
     1:10.5.15+maria~bullseye 500
        500 https://mirror.netweaver.uk/mariadb/repo/10.5/debian bullseye/main arm64 Packages
     1:10.5.15-0+deb11u1 1000
       1000 http://deb.debian.org/debian bullseye/main arm64 Packages
     1:10.5.13+maria~bullseye 500
        500 https://mirror.netweaver.uk/mariadb/repo/10.5/debian bullseye/main arm64 Packages
```

Installing pin-compliant package through `apt` works fine:

```
# apt install mariadb-common --dry-run
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  mysql-common
The following NEW packages will be installed:
  mariadb-common mysql-common
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Inst mysql-common (5.8+1.0.7 Debian:11.4/stable [all])
Inst mariadb-common (1:10.5.15-0+deb11u1 Debian:11.4/stable [all])
Conf mysql-common (5.8+1.0.7 Debian:11.4/stable [all])
Conf mariadb-common (1:10.5.15-0+deb11u1 Debian:11.4/stable [all])
```

However `apt_pkg` Python lib return wrong candidate version:

```
# python3
>>> import apt, apt_pkg
>>> cache = apt_pkg.Cache()
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
>>> policy = apt_pkg.Policy(cache)
>>> policy.get_candidate_ver(cache['mariadb-common'])
<apt_pkg.Version object: Pkg:'mariadb-common' Ver:'1:10.5.16+maria~bullseye' Section:'database'  Arch:'all' Size:4452 ISize:19456 Hash:2194990488 ID:58302 Priority:4>
```


-- System Information:
Debian Release: 11.4
  APT prefers stable-updates
  APT policy: (1000, 'stable-updates'), (1000, 'stable-security'), (1000, 'stable')
Architecture: arm64 (aarch64)

Kernel: Linux 5.10.104-linuxkit (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_RANDSTRUCT
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages python3-apt depends on:
ii  distro-info-data   0.51+deb11u2
ii  libapt-pkg6.0      2.2.4
ii  libc6              2.31-13+deb11u3
ii  libgcc-s1          10.2.1-6
ii  libstdc++6         10.2.1-6
ii  python-apt-common  2.2.1
ii  python3            3.9.2-3

Versions of packages python3-apt recommends:
ii  iso-codes    4.6.0-1
ii  lsb-release  11.1.0

Versions of packages python3-apt suggests:
ii  apt              2.2.4
pn  python-apt-doc   <none>
pn  python3-apt-dbg  <none>

-- no debconf information

Reply to:

Follow-Ups:
- Bug#1017060: marked as done (python3-apt: Candidate version returned does not respect policy)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1016967: apt_preferences(5) downgrade rule is off-by-one
Next by Date: Bug#1017060: marked as done (python3-apt: Candidate version returned does not respect policy)
Previous by thread: Bug#1016967: apt_preferences(5) downgrade rule is off-by-one
Next by thread: Bug#1017060: marked as done (python3-apt: Candidate version returned does not respect policy)
Index(es):
- Date
- Thread