Discussion:
How to get an email notification every time a package is updated upstream?
(too old to reply)
B
2024-06-30 02:30:01 UTC
Permalink
My objective is to get an email notification when an update is available
for a specific Debian package.

It sounds simple. Something like this should already exist, right? The
requirements are trivial. Yet after doing a lot of research I can't find
an existing solution that doesn't have problems.

Does anyone have any suggestions or input?

Below is all extra info and research I did.



Let's identify my requirements:

The notification method I want is email, but I would consider other
things since I could probably easily convert it to a mail with a script.

The packages I want to monitor are arbitrary and specific. The
distribution and architecture must also be taken into account. For a
given package, if I want to know about changes in unstable, then it must
not generate notifications against stable, experimental, source, or some
other architecture.



Research and existing solutions:

When researching, I found the following tools which are related or might
be useful, but unfortunately I disqualified everything because it didn't
meet my requirements.

Obviously we want to get as close to the authoritative source of truth
as possible. This means it would be preferred to get the notification
sent by Debian infrastructure. So the first thing I looked at was
tracker and the Debian mailing lists. Unfortunately, they don't do what
I want. The problem is that these are dev-oriented, not user-oriented.
Notifications/NEWS occurs when source/uploads get accepted, not when
built packages are released to the FTP servers.

The new Tracker system: https://tracker.debian.org

The old tracker, which is no longer working, but it's noteworthy:
https://packages.qa.debian.org/
(https://lists.debian.org/debian-devel-announce/2002/01/msg00011.html)

The Debian mailing lists:
    https://lists.debian.org/debian-changes/
    https://lists.debian.org/debian-devel-changes/
    https://lists.debian.org/debian-security-announce/

Packages/tools:

    unattended-upgrades
        might have some tools
 https://serverfault.com/questions/970136/how-do-i-make-unattended-upgrades-email-me-every-time-it-runs

    apticron
        https://packages.debian.org/sid/apticron
 https://www.cyberciti.biz/faq/apt-get-apticron-send-email-upgrades-available/
        Lots of downsides
            The package must be installed on a local system
                Only notifies on packages installed on the system where
apticron is installed
            It requires the local package list to be updated regularly
                unless you run some custom cache dir or container

    cron-apt
        Related, but does not do notifications
 https://www.debuntu.org/how-to-email-notification-upon-available-package-updates-with-cron-apt/

    package-update-indicator
        This is a GUI package

Other stuff:

https://serverfault.com/questions/226340/debian-automatic-notification-of-updates
    apt-get -qq update && apt-get -dqq dist-upgrade && apt-get -qq
--simulate dist-upgrade | grep ^Inst

https://superuser.com/questions/1062534/debian-how-to-get-notified-when-packages-for-dist-upgrade-are-available
    Similar, but only shows notifications for dist-upgrade packages

https://serverfault.com/questions/300749/apt-get-update-upgrade-list-without-changing-anything
    apt list --upgradable
    apt-get --simulate upgrade



At this point, I think I'm going to have to scrape
https://packages.debian.org or use the API:
https://sources.debian.org/doc/api/
Greg Wooledge
2024-06-30 02:50:01 UTC
Permalink
My objective is to get an email notification when an update is available for
a specific Debian package.
I already have questions.

Your Subject header includes the word "upstream". This word appears
*nowhere* else in the entire email, and it completely moves the goalposts.

Are you looking for notifications that a new Debian *package* has become
available, or are you looking for notifications that the *upstream*
developer has released a new version, which may or may not have a
corresponding set of Debian packages?

My next question: is this a package that's *installed* on your system?

If you only care about new Debian packages, and if the package is one
that's installed on your system, then you should be able to slap
something together using "apt-get update" (or unattended-upgrades) and
"apt-cache policy pkgname".

Oh hey, good timing -- a new point release was apparently just dropped.
After an "apt-get update", I have:

hobbit:~$ apt-cache policy bash
bash:
Installed: 5.2.15-2+b2
Candidate: 5.2.15-2+b7
Version table:
5.2.15-2+b7 500
500 http://deb.debian.org/debian bookworm/main amd64 Packages
*** 5.2.15-2+b2 100
100 /var/lib/dpkg/status

Note that the "Installed:" and "Candidate:" lines differ. We can write
a simple shell script to compare them.


hobbit:~$ cat pkgcheck
#!/bin/bash

if (($# != 1)); then
echo "usage: pkgcheck PKGNAME" >&2
exit 2
fi

installed= candidate=
while read -r line; do
case $line in
Installed:*) installed=${line##* } ;;
Candidate:*) candidate=${line##* } ;;
esac
done < <(apt-cache policy "$1")

if [[ "$installed" != "$candidate" ]]; then
printf '%s\n Installed: %s\n Candidate: %s\n' \
"$1" "$installed" "$candidate"
exit 1
fi

exit 0


hobbit:~$ ./pkgcheck bash
bash
Installed: 5.2.15-2+b2
Candidate: 5.2.15-2+b7
hobbit:~$ ./pkgcheck libc6
hobbit:~$

Will this do? It isn't clever about handling packages that have multiple
candidates, so you might want to think about how to deal with those, if
you have that kind of situation. You can also add some bells and whistles,
like a -q option or whatever you want.
Will Mengarini
2024-06-30 03:20:01 UTC
Permalink
Post by Greg Wooledge
Your Subject header includes the word "upstream". This word appears
*nowhere* else in the entire email, and it completely moves the goalposts.
"Upstream" was a misleading misnomer intended to refer to anything
... well, "upstream" of the OP's system. The OP didn't realize
that 'upstream' has essentially become a term of art in package
management, referring to whence code comes before it's packaged.
Post by Greg Wooledge
[...] requirements [...] For a given package, if I want to know
about changes in unstable, then it must not generate notifications
against stable, experimental, source, or some other architecture.
[...] Tracker and the Debian mailing lists [...] are dev-oriented,
not user-oriented. Notifications/NEWS occurs when source/uploads get
accepted, not when built packages are released to the FTP servers.
So the OP wants to know about Debian package updates.
Post by Greg Wooledge
If you only care about new Debian packages, and if the
package is one that's installed on your system [...]
All we still need to know is whether the OP cares
about packages that aren't installed, or whether some
other aspect of Greg's solution isn't sufficient.
Greg Wooledge
2024-06-30 03:30:01 UTC
Permalink
Post by Will Mengarini
All we still need to know is whether the OP cares
about packages that aren't installed, or whether some
other aspect of Greg's solution isn't sufficient.
If there's interest in new versions of uninstalled packages, then we
have an additional bit of complexity -- how do you know whether the
candidate package is "new"? You would need an "old" version number
to compare against.

Possible answers include "the candidate version number that I got the
last time I ran the script" or "a version number that I'll provide as
a second argument to the script". We'd need to know what the OP has
in mind here.
John Crawley
2024-06-30 04:40:01 UTC
Permalink
Post by Greg Wooledge
Post by Will Mengarini
All we still need to know is whether the OP cares
about packages that aren't installed, or whether some
other aspect of Greg's solution isn't sufficient.
If there's interest in new versions of uninstalled packages, then we
have an additional bit of complexity -- how do you know whether the
candidate package is "new"? You would need an "old" version number
to compare against.
Possible answers include "the candidate version number that I got the
last time I ran the script" or "a version number that I'll provide as
a second argument to the script". We'd need to know what the OP has
in mind here.
rmadison will fetch data about package versions available in the Debian repositories.
Its output might be usefully parsed by a script.
--
John
B
2024-06-30 05:50:02 UTC
Permalink
Post by John Crawley
rmadison will fetch data about package versions available in the Debian repositories.
Its output might be usefully parsed by a script.
Thank you! I totally forgot about madison.

https://qa.debian.org/madison.php
Keith Bainbridge
2024-06-30 06:10:01 UTC
Permalink
Post by B
Post by John Crawley
rmadison will fetch data about package versions available in the Debian repositories.
Its output might be usefully parsed by a script.
Thank you! I totally forgot about madison.
https://qa.debian.org/madison.php
What would happen if you ran:

sudo apt update && sudo apt list --upgradable

every hour or so via cron? Cron can email the output I believe
--
All the best

Keith Bainbridge

***@gmail.com
***@gmail.com
+61 (0)447 667 468

UTC + 10:00
B
2024-06-30 05:50:02 UTC
Permalink
Your Subject header includes the word "upstream". This word appears
*nowhere* else in the entire email, and it completely moves the goalposts.
Are you looking for notifications that a new Debian*package* has become
available, or are you looking for notifications that the*upstream*
developer has released a new version, which may or may not have a
corresponding set of Debian packages?
Good question but Will's interpretation is correct. This is the Debian
*User* mailing list after all.

My bad. I was aware of the meaning of "upstream" in regards to package
maintainership but wasn't thinking someone would fixate on that when I
used that in the subject. Just throw that word away.
My next question: is this a package that's*installed* on your system?
No. Not even the same arch or release as the installed system. I'll even
go further and tell you I want these notifications on a Windows system
or an iPhone. And the Debian systems are air-gapped with no Internet access.

It seems crazy that in all the history of Debian, nobody said "There's a
package I care about and I want to get immediately when a new version is
released." And if they had, doing an "apt-get update" every minute of
the day would not have been any part of the desired outcome.
d***@howorth.org.uk
2024-06-30 10:40:01 UTC
Permalink
Post by B
It seems crazy that in all the history of Debian, nobody said
"There's a package I care about and I want to get immediately when a
new version is released." And if they had, doing an "apt-get update"
every minute of the day would not have been any part of the desired
outcome.
I'd expect that normally when somebody is so keen about a particular
package, they'd be more interested to know when a new upstream version
of the package appeared, rather than it appearing in a debian update.
So the answer would depend on a lot of factors and wouldn't have a
general answer.

But in general, if there isn't an event-driven mechanism available(*)
then a polling solution is generally the next step.

* e.g. accepting notifications of all updates and filtering for the
interesting one.
Greg Wooledge
2024-06-30 13:10:01 UTC
Permalink
My next question: is this a package that's*installed* on your system?
No. Not even the same arch or release as the installed system. I'll even go
further and tell you I want these notifications on a Windows system or an
iPhone. And the Debian systems are air-gapped with no Internet access.
https://mywiki.wooledge.org/BashFAQ/064

21. If^H^HWhen the newbie's question is ambiguous, the proper
interpretation will be whichever one makes the problem the hardest
to solve.

Good to know the universe hasn't changed.

Now, levity aside, let's say you write a PowerShell script and run it
on your Microsoft Windows computer, and it queries the Debian repositories,
and it learns that bash version 5.2.15-2+b7 is the currently available
version for bookworm.

Is this version new? Is it old? Do you want to be informed of it?

How does your program determine whether to notify you or not?
Michael Kjörling
2024-06-30 09:00:01 UTC
Permalink
My objective is to get an email notification when an update is available for
a specific Debian package.
It sounds simple. Something like this should already exist, right? The
requirements are trivial. Yet after doing a lot of research I can't find an
existing solution that doesn't have problems.
Does anyone have any suggestions or input?
I will readily admit that it doesn't immediately meet all of your
criteria, but one possible venue especially if you are only interested
in a few specific packages might be to point e.g. rss2email at the
package events RSS feed available through tracker.debian.org. At that
point you can use typical email filtering to further filter it down to
only those events you are interested in (for example, only those that
mention "into stable").
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
B
2024-06-30 09:40:01 UTC
Permalink
Post by Michael Kjörling
I will readily admit that it doesn't immediately meet all of your
criteria, but one possible venue especially if you are only interested
in a few specific packages might be to point e.g. rss2email at the
package events RSS feed available through tracker.debian.org. At that
point you can use typical email filtering to further filter it down to
only those events you are interested in (for example, only those that
mention "into stable").
Thanks for the suggestion, but unfortunately I already researched that
and there are problems.

The RSS news feed  would not be needed in this case. Tracker can already
send emails directly to you.

There is the debian-***@lists.debian.org and
debian-devel-***@lists.debian.org mailing lists, if you want to get
notified for everything.

Otherwise, you can select specific packages and keyword/event types
through the web interface. Register, login, and then add your subscriptions:

https://tracker.debian.org/accounts/subscriptions/

Like I think I said in my original email, Tracker is
dev/source-oriented, not user/package-oriented. Notifications are sent
out when new source or other uploads are accepted into the archive. This
is not the same thing as a new package version becoming available for
download in the repos. Many packages have completely different source
and package names (The linux kernel for example), and of course
architecture is usually not considered at all, unless it's a binary upload.
David Wright
2024-06-30 18:30:01 UTC
Permalink
Post by B
Thanks for the suggestion, but unfortunately I already researched that
and there are problems.
It seems crazy that in all the history of Debian, nobody said "There's
a package I care about and I want to get immediately when a new
version is released."
The packages I want to monitor are arbitrary and specific. The
distribution and architecture must also be taken into account. For a
given package, if I want to know about changes in unstable, then it
must not generate notifications against stable, experimental, source,
or some other architecture.
Can I ask why?

Cheers,
David.
Greg Wooledge
2024-06-30 18:50:01 UTC
Permalink
Post by David Wright
Post by B
It seems crazy that in all the history of Debian, nobody said "There's
a package I care about and I want to get immediately when a new
version is released."
No, the crazy part is when you add "... on my airgapped Debian system"
to the requirements.

Most people who care about getting upgrades immediately are concerned
because these are *security* updates, and their Debian systems are
accessible over a network (perhaps the Internet); thus, keeping up to
date on security patches is a high priority.

On such systems, one may use unattended-upgrades to download the
packages automatically, and possibly even install them automatically,
depending on one's configuration choices.

If your Debian system is airgapped, the security concerns are greatly
reduced. Getting patches onto it becomes far less of a race against
time.

If you also want an email when security patches are released,
there is already a solution to that as well: subscribe to the
debian-security-announce mailing list.

https://lists.debian.org/debian-security-announce/
Post by David Wright
Post by B
The packages I want to monitor are arbitrary and specific. The
distribution and architecture must also be taken into account. For a
given package, if I want to know about changes in unstable, then it
must not generate notifications against stable, experimental, source,
or some other architecture.
Can I ask why?
You can. I have a funny feeling we won't get an answer.

The fact that B is interested in unstable *primarily* (it's the first
thing mentioned) tells us an enormous amount.
B
2024-07-01 03:40:01 UTC
Permalink
Darn and I liked your wiki. I didn't know you were a toxic.
Post by Greg Wooledge
Post by David Wright
Can I ask why?
You can. I have a funny feeling we won't get an answer.
The fact that B is interested in unstable*primarily* (it's the first
thing mentioned) tells us an enormous amount.
t***@tuxteam.de
2024-07-01 04:40:01 UTC
Permalink
Post by B
Darn and I liked your wiki. I didn't know you were a toxic.
Please stop that.

He was one trying to offer help. Part of that help was pointing
out that your requirements, as you stated them, are incomplete
and possibly contradictory.

Many of us (me included, I admit) just thought "uh, oh, let's
wait until things become a bit clearer", which is, I admit
again, a bit cowardly.

Maybe Greg was a bit harsh. He is, sometimes. But not toxic,
far from it.

Cheers
--
t
Loading...