I've added a merge proposal for sru-release
I believe it will improve the situation by insisting on order and that some
packages will go in together.
Also, I did dig a bit more, and it looks like the core of the issue in my
original post can be seen at
linux-meta-hwe went into security 11 minutes before linux-hwe.
On Wed, Jun 13, 2018 at 12:39 PM, Scott Moser <email@example.com> wrote:
We have a curtin test that runs (simplified)
apt-get install linux-image-generic-hwe-16.04
The jenkins run  failed on Monday (06-11), console log at  with
| Some packages could not be installed. This may mean that you have
| requested an impossible situation or if you are using the unstable
| distribution that some required packages have not yet been created
| or been moved out of Incoming.
| The following information may help to resolve the situation:
| The following packages have unmet dependencies:
| linux-image-generic-hwe-16.04 :
| Depends: linux-image-4.13.0-45-generic but it is not installable
| Depends: linux-image-extra-4.13.0-45-
generic but it is not installable
| Recommends: thermald but it is not going to be installed
| E: Unable to correct problems, you have held broken packages.
So it would appear that we hit an unfortunate race when
linux-meta-hwe  was in xenial-updates but linux-hwe  was not.
Per the email time stamps in those messages there was a 4 second window
when this could have occurred. We hit this issue around 15:36, around 20
minutes after the time stamp on the xenial-changes email (15:14).
I realize that you probably can't trust those timestamps 100%, that
the publisher runs on some cycle, and that archive sync is non-atomic.
If the email messages are to be believed, linux-meta-hwe 
was accepted before linux-hwe . linux-meta-hwe depends on a specific
version of linux-hwe, but linux-hwe has no dependency on linux-meta-hwe.
It seems that at very least linux-hwe should be let in before
We've seen similar issues with grub2 and grub2-signed. I believe those
two are co-dependent making them trickier.
This is a stable release that had its canonical archive
in a broken state. Can anything be done to stop this from occurring?
server/view/cloud-init,% 20curtin,%20streams/job/ curtin-vmtest-daily-x/120/