How are package updates defined as security updates?

Question

I've created and published a mirror of the Ubuntu repositories for Xenial using aptly. This includes xenial and xenial-updates downloaded from my country specific Ubuntu mirror. I've taken xenial-security from http://security.ubuntu.com. I can use all apt or apt-get update and upgrade commands normally with this mirror to manually upgrade systems.

My issue is that unattended-upgrades with security only updates configured will not register any packages as available to upgrade. Likewise after using apt update, the motd message on login will say something like:

261 packages can be updated.
0 updates are security updates.

If I switch back to the default repositories and run the same command, motd changes to:

261 packages can be updated.
176 updates are security updates.

Running unattended-upgrade --dry-run -d has similar results, plenty of security updates if I use the default mirrors, but none from my local mirror.

Evidently I'm losing whatever marks the packages as security updates in my mirroring process.

How does apt determine that a package update is a security update once the package list has been updated? What do I have to do to accurately mirror this?

Answer 1

"Security Updates" come from the -security repository. Only the Ubuntu Security Team has permission to upload to that pocket. Apt does not "determine" anything.

Example: Security updates in Xenial are packaged by the Ubuntu Security Team and distributed in the xenial-security pocket.

For your specific case:

1) Ensure that you really have a security repo enabled in sources.list.

2) Don't trust motd's numbers - motd is a a handy reminder feature, but those numbers update only once per day...and you don't know when.

3) Try one of these methods to accurately see if uninstalled security updates are in the -security pocket for your release of Ubuntu.

4) Unattended Upgrades can be really sneaky about upgrades (that's good). Check a week of the U-U history in /var/log/unattended-upgrades to be certain that U-U is not installing security upgrades. If so, time to double-check your sources (see #1).