From 0adff31dcb9288b6043c0e49a8214a6050a718eb Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Mon, 17 Oct 2022 16:48:37 +0200
Subject: [PATCH] diagnosis: add reports when apt is configured with the
 'testing' channel for yunohost, or with the 'stable' codename for debian

---
 locales/en.json                 |  6 +++++-
 src/diagnosers/00-basesystem.py | 21 +++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/locales/en.json b/locales/en.json
index 429eb09c3..bbbffcf2b 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -296,6 +296,10 @@
     "diagnosis_swap_ok": "The system has {total} of swap!",
     "diagnosis_swap_tip": "Please be careful and aware that if the server is hosting swap on an SD card or SSD storage, it may drastically reduce the life expectancy of the device.",
     "diagnosis_unknown_categories": "The following categories are unknown: {categories}",
+    "diagnosis_using_stable_codename": "<cmd>apt</cmd> (the system's package manager) is currently configured to install packages from codename 'stable', instead of the codename of the current Debian version (bullseye).",
+    "diagnosis_using_stable_codename_details": "This is usually caused by incorrect configuration from your hosting provider. This is dangerous, because as soon as the next Debian version becomes the new 'stable', <cmd>apt</cmd> will want to upgrade all system packages without going through a proper migration procedure. It is recommended to fix this by editing the apt source for base Debian repository, and replace the <cmd>stable</cmd> keyword by <cmd>bullseye</cmd>. The corresponding configuration file should be <cmd>/etc/apt/sources.list</cmd>, or a file in <cmd>/etc/apt/sources.list.d/</cmd>.",
+    "diagnosis_using_yunohost_testing": "<cmd>apt</cmd> (the system's package manager) is currently configured to install any 'testing' upgrade for YunoHost core.",
+    "diagnosis_using_yunohost_testing_details": "This is probably OK if you know what you are doing, but pay attention to the release notes before installing YunoHost upgrades! If you want to disable 'testing' upgrades, you should remove the <cmd>testing</cmd> keyword from <cmd>/etc/apt/sources.list.d/yunohost.list</cmd>.",
     "disk_space_not_sufficient_install": "There is not enough disk space left to install this application",
     "disk_space_not_sufficient_update": "There is not enough disk space left to update this application",
     "domain_cannot_add_xmpp_upload": "You cannot add domains starting with 'xmpp-upload.'. This kind of name is reserved for the XMPP upload feature integrated into YunoHost.",
@@ -692,4 +696,4 @@
     "yunohost_installing": "Installing YunoHost...",
     "yunohost_not_installed": "YunoHost is not correctly installed. Please run 'yunohost tools postinstall'",
     "yunohost_postinstall_end_tip": "The post-install completed! To finalize your setup, please consider:\n    - adding a first user through the 'Users' section of the webadmin (or 'yunohost user create <username>' in command-line);\n    - diagnose potential issues through the 'Diagnosis' section of the webadmin (or 'yunohost diagnosis run' in command-line);\n    - reading the 'Finalizing your setup' and 'Getting to know YunoHost' parts in the admin documentation: https://yunohost.org/admindoc."
-}
\ No newline at end of file
+}
diff --git a/src/diagnosers/00-basesystem.py b/src/diagnosers/00-basesystem.py
index a36394ce8..aeb9956a5 100644
--- a/src/diagnosers/00-basesystem.py
+++ b/src/diagnosers/00-basesystem.py
@@ -137,6 +137,27 @@ class MyDiagnoser(Diagnoser):
                 summary="diagnosis_backports_in_sources_list",
             )
 
+        # Using yunohost testing channel
+        if os.system("grep -q '^\\s*deb\\s*.*yunohost.org.*\\stesting' /etc/apt/sources.list /etc/apt/sources.list.d/*") == 0:
+            yield dict(
+                meta={"test": "apt_yunohost_channel"},
+                status="WARNING",
+                summary="diagnosis_using_yunohost_testing",
+                details=["diagnosis_using_yunohost_testing_details"],
+            )
+
+        # Apt being mapped to 'stable' (instead of 'buster/bullseye/bookworm/trixie/...')
+        # will cause the machine to spontaenously upgrade everything as soon as next debian is released ...
+        # Note that we grep this from the policy for libc6, because it's hard to know exactly which apt repo
+        # is configured (it may not be simply debian.org)
+        if os.system("apt policy libc6 2>/dev/null | grep '^\\s*500' | awk '{print $3}' | tr '/' ' ' | awk '{print $1}' | grep -q 'stable'") == 0:
+            yield dict(
+                meta={"test": "apt_debian_codename"},
+                status="WARNING",
+                summary="diagnosis_using_stable_codename",
+                details=["diagnosis_using_stable_codename_details"],
+            )
+
         if self.number_of_recent_auth_failure() > 750:
             yield dict(
                 meta={"test": "high_number_auth_failure"},