Re: Setting APT::Default-Release prevents installation of security updates in bookworm!?
Hi Paul, On Sat, Jul 22, 2023 at 03:56:02PM +0800, Paul Wise wrote: > > One mention I found is in Raphaël and Roland's DAH (now in CC): > > https://debian-handbook.info/browse/stable/sect.apt-get.html#sect.apt-upgrade > > Probably better to file a bug about this, so it is tracked. Ah, I didn't realise debian-handbook has a package in the archive :) Done, Bug#1041706: debian-handbook: Wrong advice on APT::Default-Release preventing security updates. > > What I don't understand is why the security repo codename wasn't changed to > > $codename/security? Wouldn't that be handled correctly by APT? Unless the > > /update string in particular had special handling? > > You will have to ask the apt developers and archive admins about this, > but at the end of the day reverting it is unlikely to happen, so > probably it is something everyone will just have to learn to live with. I've had a quick look at the apt code now and indeed it seems to handle $codename/$whatever as equivalent to $codename, see metaIndex::CheckDist. I don't see why we couldn't revert this change. Anybody who's applied the hack from the bullseye release-notes will be unaffected as the regex will still match a plain code/suite-name but people who never applied this advice will get their security updates back. I've sent a bug to apt as well, just about the doc references for now: Bug#1041708: apt: Manpages have wrong advice on APT::Default-Release preventing security updates. Who do I contact about the archive aspects? FTP-master or the security-team? The security-team is in CC on the doc bugs so I'm hoping they will see it anyway. Thanks, --Daniel
Re: Setting APT::Default-Release prevents installation of security updates in bookworm!?
Hi Paul, On Fri, Jul 21, 2023 at 10:17:28AM +0800, Paul Wise wrote: > On Thu, 2023-07-20 at 22:12 +0200, Daniel Gröber wrote: > > > It seems packages from the debian-security repository are not affected by > > this increased priority and will not get intalled as a result. > > This was documented in the release notes for Debian bullseye: > > https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive Now that you mention it I remember reading this and getting quite irritated. Probably why I forgot about it. Do you have any references on how this decision came to be? > I have updated a few wiki pages that mention APT::Default-Release too. > > https://wiki.debian.org/DebianUnstable?action=diff&rev1=144&rev2=145 > https://wiki.debian.org/DebianEdu/Status/Bullseye?action=diff&rev1=107&rev2=108 > https://wiki.debian.org/Wajig?action=diff&rev1=20&rev2=21 > https://wiki.debian.org/FunambolInstallation?action=diff&rev1=9&rev2=10 > > If there is other documentation of APT::Default-Release that should get > updated, please let us know so that we can fix it. One mention I found is in Raphaël and Roland's DAH (now in CC): https://debian-handbook.info/browse/stable/sect.apt-get.html#sect.apt-upgrade The places I'm most concerned about, people's brains and random web sites, aren't so easily fixed unfortunately. Advice to set this is splattered all over the web, I really don't understand why we made a change so seemingly ill advised as this? A web search for "Debian Default-Release security" didn't reveal anything talking about this problem, especially not our release notes, so I think this change didn't get the publicity it deserves at the very least. What I don't understand is why the security repo codename wasn't changed to $codename/security? Wouldn't that be handled correctly by APT? Unless the /update string in particular had special handling? Thanks, --Daniel
Setting APT::Default-Release prevents installation of security updates in bookworm!?
Hi debian-security, I've just noticed something rather distressing. As part of my usual Debian installation I set `APT::Default-Release "stable";` which causes a change of apt priorities for packages from this release (or so I thought) from the usual 500 to 990. This is recommended in various places, but I don't recall if d-i sets this up by default or not. It seems packages from the debian-security repository are not affected by this increased priority and will not get intalled as a result. Note: `apt-cache policy` tends to lie. I observed this by actually trying to install a kernel update from d-security that should get installed but doesn't. As soon as I remove the Default-Release line from apt.conf the update gets offered for installation. Has anyone else observed this or is something broken in my apt config somewhere? --Daniel