docker-ce-packaging icon indicating copy to clipboard operation
docker-ce-packaging copied to clipboard
verified publisher icon docker

ubuntu docker-ce 20.10.17 depends on incorrect containerd.io version

Open sm-gravid-day opened this issue 3 years ago • 2 comments

The docker engine release notes here: https://docs.docker.com/engine/release-notes/ state that for engine version 20.10.17 the containerd.io version has been updated to v1.6.6. However, for the following ubuntu packages:

5:20.10.17~3-0~ubuntu-bionic
5:20.10.17~3-0~ubuntu-focal

Downloading the source and searching the control file shows:

Depends: containerd.io (>= 1.4.1)

This can lead to docker-ce upgrades sticking with an existing, older version of containerd.io and missing out on fixes.

Shouldn't the control file be in sync with the release notes?

sm-gravid-day avatar Sep 08 '22 13:09 sm-gravid-day

It's the same story for the newly released 20.10.18. Control file contains: Depends: containerd.io (>= 1.4.1) but release notes page states:

Update containerd (containerd.io package) to [v1.6.8](https://github.com/containerd/containerd/releases/tag/v1.6.8).

sm-gravid-day avatar Sep 12 '22 10:09 sm-gravid-day

The packaged containerd available in the repository is indeed 1.6.8 now, but the dependency within the engine package is still correct AFAIK -- the engine still works correctly with a 1.4.1+ containerd. IMO, it would not be appropriate to change this Depends just to make sure that users who are not updating all related packages receive the newer version (there may be valid reasons for a user to stick with containerd 1.4.x, for example, but they still want a newer engine).

tianon avatar Sep 12 '22 18:09 tianon

Yes, as answered above; the version specified is the minimum expected version technically, this could be >= 1.0.0, as containerd promises API stability for all v1.x.x versions, but we set the minimum version to either the version used when doing the initial release (v20.10.0 in this case), but sometimes update the minimum version in case a (severe) security issue was found in containerd, in which case we want to prevent users to be running versions before that.

In either case, the version specified in packages are only used as constraints; unfortunately, changing these versions won't affect what's being installed when upgrading the package; Linux package managers are somewhat "limited", and setting the version to (for example) >= 1.6.8 or == 1.6.8 will not make the package manager automatically update the version; it will merely produce an error that the installed version does not meet the requirements (which is quite unfortunate).

Let me close this ticket because of the above, but feel free to continue the conversation.

thaJeztah avatar Jan 04 '23 08:01 thaJeztah