Package: debian-reference
Version: 2.100
The "2.7.7. Tweaking candidate version with apt-pinning" section
in "Chapter 2. Debian package management" recommends
The target release archive can be set by several methods.
- "/etc/apt/apt.conf" configuration file with "APT::Default-Release "stable";"
line
- command line option, e.g., "apt-get install -t testing some-package"
https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_tweaking_candidate_version
Unfortunately "APT::Default-Release "stable";" prevents installing of
updates from stable-security and stable-updates repositories. So this
option should be either just dropped or a warning should be added to
alert users who remembers it from previous release.
Accordingly to the Debian 11 bullseye release notes acceptable value for
default release may be
APT::Default-Release "/^bullseye(|-security|-updates)$/";
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive
"5.1.3. Changed security archive layout"
in "Chapter 5. Issues to be aware of for bullseye"
However there are opinions that this option should be considered as
deprecated:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041708#38
apt man pages
https://lists.debian.org/debian-security/2022/01/msg00022.html
Re: Bullseye security.debian.org codename misconfigured?
Sat, 22 Jan 2022 21:07:09 +0100
There is a similar bug against debian-handbook
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041706
filed during the following discussion
https://lists.debian.org/debian-security/2023/07/msg00011.html
"Setting APT::Default-Release prevents installation of security updates
in bookworm!?"
In my case it was bookworm with the backports repository added to test a
wifi issue and trixie to get firefox-esr 115 earlier than it will appear
in stable. By setting APT::Default-Release I was going to prevent
upgrade kernel from backports to testing when I noticed missed security
updates. I decided to use apt pinning instead.
I have seen doubts concerning support of APT::Default-Release in
synaptic and regexps in "apt source PKG", but I have not noticed any
problem. So I am unsure if it can be an *additional* argument against
APT::Default-Release.
I admit that some users may need purely stable release without security
updates (e.g. to test upgrades from particular versions), but I believe
this case is too specific to be covered in the manual.
Either removing mention of the setting or adding a warning against
APT::Default-Release should prevent users from making their
configuration insecure.
