wrong icon and classification of update

[dgutson]

MintUpdate 5.8.8

says gzip is a software update (up arrow icon), whereas changes contain security updates:

gzip (1.10-4ubuntu4.1) jammy; urgency=medium

  * Cherry-pick upstream patch to use more portable alignment to resolve
    failure to execute on
    WSL1. https://github.com/microsoft/WSL/issues/8219 LP: #1966849

 -- Dimitri John Ledkov <dimitri.ledkov@canonical.com>  Mon, 05 Sep 2022 14:33:59 +0100

gzip (1.10-4ubuntu4) jammy; urgency=medium

  * SECURITY UPDATE: arbitrary file override with crafted file names
    - debian/patches/CVE-2022-1271-1.patch: avoid exploit via multi-newline
      file names in zgrep.in.
    - debian/patches/CVE-2022-1271-2.patch: add test in tests/Makefile.am,
      tests/zgrep-abuse.

[kneekoo]

The security update is listed for the previous version (1.10-4ubuntu4) - the one you already have installed. mintupdate is correct on this one.

[dgutson]

it is misleading the decision of the user. If I "see" the update icon, I may decide to postpone it.
However, if I see the security update icon, I do update right away.
In this case, the non-security update is "masking" the security one, effectively decreasing the urgency criteria.

[kneekoo]

No, many times you'll see the change logs having notes for multiple versions, even those that you already have installed, and older. Unless you skipped several updates, you're supposed to have the previous version (already containing the security patch), so you're only missing the latest (non-security) update in this scenario.

But I do wonder how the icon would look like if a package is several versions behind the latest, and there's at least one security update. What's missing from your screenshot is your installed version. That would clarify your situation in particular, but it's a good point that when there are security updates between the installed version and the latest one, the icon should reflect the security update being available.

[dgutson]

That's exactly my point. Feel free to update the title.

[dgutson]

@kneekoo any update on this?

[kneekoo]

I'm not a developer here. :)

[github-actions]

This issue has been automatically marked as stale because it has not had
any activity in over 2 years.

If this issue is still relevant:

• Please test on a current version of this package.
• Add a comment with your findings

If no activity occurs in the next 30 days, this issue will be
automatically closed. Issues can be reopened if needed.

[kneekoo]

This issue is still worth attention, it should not be closed.

To make it clear, there are 2 important cases:

1. When the user is one version behind the latest and the latest package is not a security update, the icon should be that of a plain update;
2. When the user is multiple versions behind the latest one, and at least one of the newer versions consists of security updates, the icon should be changed to that of a security update.