Package: autopkgtest
Version: 5.35
Severity: normal
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
When using autopkgtest-build-* tools that prepare autopkgtest images
from pre-built images, sometimes we end up with images with dependency
problems because the pre-built images come with packages from -security
baked in.
For example, at the moment the incus images:debian/bookworm/amd64 image
contains this libc6:
$ apt-cache policy libc6
libc6:
Installed: 2.36-9+deb12u7
Candidate: 2.36-9+deb12u7
Version table:
*** 2.36-9+deb12u7 500
500 http://deb.debian.org/debian-security bookworm-security/main amd64
Packages
100 /var/lib/dpkg/status
2.36-9+deb12u4 500
500 http://deb.debian.org/debian bookworm/main amd64 Packages
Note that the installed version comes from bookworm-security. The
setup-testbed script clears the existing sources (which would include
-security) and only adds bookworm, which can cause installability
problems of build or test dependencies. For example libc6-dev is
uninstallable in the above situation, as the installed libc6 requires
the libc6-dev version from -security, which is not available.
This can be fixed by making setup-testbed add the security repository.
This already happens when building Ubuntu images (there's code in
setup-testbed to detect those), so this is a problem specific to Debian.
If we agree this is a bug and on the solution, I'll prepare a MP with it.
--
Paride
