Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1051979: Do not suggest APT::Default-Release setting
19 views
Skip to first unread message
Max Nikulin
Sep 15, 2023, 4:10:04 AM9/15/23
to
Package: debian-reference
Version: 2.100
The "2.7.7. Tweaking candidate version with apt-pinning" section
in "Chapter 2. Debian package management" recommends
> The target release archive can be set by several methods.
>
> - "/etc/apt/apt.conf" configuration file with "APT::Default-Release "stable";" line
> - command line option, e.g., "apt-get install -t testing some-package"
https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_tweaking_candidate_version
Unfortunately "APT::Default-Release "stable";" prevents installing of
updates from stable-security and stable-updates repositories. So this
option should be either just dropped or a warning should be added to
alert users who remembers it from previous release.
Accordingly to the Debian 11 bullseye release notes acceptable value for
default release may be
> APT::Default-Release "/^bullseye(|-security|-updates)$/";
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive
"5.1.3. Changed security archive layout"
in "Chapter 5. Issues to be aware of for bullseye"
However there are opinions that this option should be considered as
deprecated:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041708#38
apt man pages
https://lists.debian.org/debian-security/2022/01/msg00022.html
Re: Bullseye security.debian.org codename misconfigured?
Sat, 22 Jan 2022 21:07:09 +0100
There is a similar bug against debian-handbook
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041706
filed during the following discussion
https://lists.debian.org/debian-security/2023/07/msg00011.html
"Setting APT::Default-Release prevents installation of security updates
in bookworm!?"
In my case it was bookworm with the backports repository added to test a
wifi issue and trixie to get firefox-esr 115 earlier than it will appear
in stable. By setting APT::Default-Release I was going to prevent
upgrade kernel from backports to testing when I noticed missed security
updates. I decided to use apt pinning instead.
I have seen doubts concerning support of APT::Default-Release in
synaptic and regexps in "apt source PKG", but I have not noticed any
problem. So I am unsure if it can be an *additional* argument against
APT::Default-Release.
I admit that some users may need purely stable release without security
updates (e.g. to test upgrades from particular versions), but I believe
this case is too specific to be covered in the manual.
Either removing mention of the setting or adding a warning against
APT::Default-Release should prevent users from making their
configuration insecure.
Version: 2.100
The "2.7.7. Tweaking candidate version with apt-pinning" section
in "Chapter 2. Debian package management" recommends
> The target release archive can be set by several methods.
>
> - "/etc/apt/apt.conf" configuration file with "APT::Default-Release "stable";" line
> - command line option, e.g., "apt-get install -t testing some-package"
https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_tweaking_candidate_version
Unfortunately "APT::Default-Release "stable";" prevents installing of
updates from stable-security and stable-updates repositories. So this
option should be either just dropped or a warning should be added to
alert users who remembers it from previous release.
Accordingly to the Debian 11 bullseye release notes acceptable value for
default release may be
> APT::Default-Release "/^bullseye(|-security|-updates)$/";
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive
"5.1.3. Changed security archive layout"
in "Chapter 5. Issues to be aware of for bullseye"
However there are opinions that this option should be considered as
deprecated:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041708#38
apt man pages
https://lists.debian.org/debian-security/2022/01/msg00022.html
Re: Bullseye security.debian.org codename misconfigured?
Sat, 22 Jan 2022 21:07:09 +0100
There is a similar bug against debian-handbook
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041706
filed during the following discussion
https://lists.debian.org/debian-security/2023/07/msg00011.html
"Setting APT::Default-Release prevents installation of security updates
in bookworm!?"
In my case it was bookworm with the backports repository added to test a
wifi issue and trixie to get firefox-esr 115 earlier than it will appear
in stable. By setting APT::Default-Release I was going to prevent
upgrade kernel from backports to testing when I noticed missed security
updates. I decided to use apt pinning instead.
I have seen doubts concerning support of APT::Default-Release in
synaptic and regexps in "apt source PKG", but I have not noticed any
problem. So I am unsure if it can be an *additional* argument against
APT::Default-Release.
I admit that some users may need purely stable release without security
updates (e.g. to test upgrades from particular versions), but I believe
this case is too specific to be covered in the manual.
Either removing mention of the setting or adding a warning against
APT::Default-Release should prevent users from making their
configuration insecure.
Osamu Aoki
Sep 16, 2023, 4:40:05 AM9/16/23
to
Hi,
Thank you for careful review.
On Fri, 2023-09-15 at 15:01 +0700, Max Nikulin wrote:
> Package: debian-reference
> Version: 2.100
>
> The "2.7.7. Tweaking candidate version with apt-pinning" section
> in "Chapter 2. Debian package management" recommends
>
> > The target release archive can be set by several methods.
> >
> > - "/etc/apt/apt.conf" configuration file with "APT::Default-Release
> > "stable";" line
> > - command line option, e.g., "apt-get install -t testing some-package"
>
> https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_tweaking_candidate_version
>
> Unfortunately "APT::Default-Release "stable";" prevents installing of
> updates from stable-security and stable-updates repositories. So this
> option should be either just dropped or a warning should be added to
> alert users who remembers it from previous release.
I see your concern. I merely meant to point out "APT::Default-Release
> > "...";" line sets "Default-Release". I don't meant to use it with "stable"
So my first thought was replace it with:
- Release definition in "/etc/apt/apt.conf" configuration file started with
"APT::Default-Release"
But As I read complicationa it causes from your messages, let's drop it. I
don't use it anyway.
Thank you for careful review.
On Fri, 2023-09-15 at 15:01 +0700, Max Nikulin wrote:
> Package: debian-reference
> Version: 2.100
>
> The "2.7.7. Tweaking candidate version with apt-pinning" section
> in "Chapter 2. Debian package management" recommends
>
> > The target release archive can be set by several methods.
> >
> > - "/etc/apt/apt.conf" configuration file with "APT::Default-Release
> > "stable";" line
> > - command line option, e.g., "apt-get install -t testing some-package"
>
> https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_tweaking_candidate_version
>
> Unfortunately "APT::Default-Release "stable";" prevents installing of
> updates from stable-security and stable-updates repositories. So this
> option should be either just dropped or a warning should be added to
> alert users who remembers it from previous release.
> > "...";" line sets "Default-Release". I don't meant to use it with "stable"
So my first thought was replace it with:
- Release definition in "/etc/apt/apt.conf" configuration file started with
"APT::Default-Release"
But As I read complicationa it causes from your messages, let's drop it. I
don't use it anyway.
Max Nikulin
Sep 17, 2023, 11:30:05 PM9/17/23
to
On 16/09/2023 15:37, Osamu Aoki wrote:
> So my first thought was replace it with:
>
> - Release definition in "/etc/apt/apt.conf" configuration file started with
> "APT::Default-Release"
>
> But As I read complicationa it causes from your messages, let's drop it. I
> don't use it anyway.
Since the "APT::Default-Release" option is present in the document for
> So my first thought was replace it with:
>
> - Release definition in "/etc/apt/apt.conf" configuration file started with
> "APT::Default-Release"
>
> But As I read complicationa it causes from your messages, let's drop it. I
> don't use it anyway.
years, I would prefer to see a warning close to the current place where
it is mentioned. Consider somebody is asked about this setting and their
opens the reference to provide a link. Completely disappeared mention
may make them thinking that it was seen in another document.
I do not insist however. I admit that removing obsolete material
completely is widely used practice, so I am OK with your plan to just
drop it.
From my point of view, it is worst variant when "APT::Default-Release"
is described without the not so trivial regexp or without a warning
concerning complications. This feature evolved into a kind of pitfall.
Thank you for your work on debian-reference.
Osamu Aoki
Sep 18, 2023, 9:20:06 AM9/18/23
to
Hi,
As far as I understand, my text comes from:
$ man apt_preferences
Since Bug#1041708 was mentioned, I CC it.
I concur more-or-less with what Julian Andres Klode said for the solution.
I think what is needed is:
by way of being not set up anymore,
nor presenting impression of recommendation in release notes.
## Debian Reference
As for the entry document such as Debian Reference,
I should skip mentioning setting "APT::Default-Release" to whatever since
setting it in /etc/apt/apt.conf.d/* tends to cause persistent confusing setting.
If someone dare to set such thing, use /etc/apt/preferences with PIN priority.
I have such example already with ample warnings.
## man apt_preferences
What is written there is 100% correct. But it does create impression of using
APT::Default-Release "stable";
as a part of normal system configuration to some readers.
I think this document needs to explain apt system functionality thoroughly,
dropping use of `APT::Default-Release` reference may not be a option.
I propose to replace this line with
APT::Default-Release "testing";
I think this don't drive people to set this to "stable" as much.
If I go farther, to make deprecated usage of APT::Default-Release in
/etc/apt/apt.conf more explicit, I suggest that the following part:
Note that this has precedence over any general priority you set in the
/etc/apt/preferences file described later, but not over specifically pinned
packages. For example,
should be changed to something along:
Note that this has precedence over any general priority you set in the
/etc/apt/preferences file described later, but not over specifically pinned
packages. (In order to avoid confusion with /etc/apt/preferences settings,
use of APT::Default-Release in /etc/apt/apt.conf is deprecated.) For
example,
That's my thought on this topic.
Osamu
As far as I understand, my text comes from:
$ man apt_preferences
Since Bug#1041708 was mentioned, I CC it.
I concur more-or-less with what Julian Andres Klode said for the solution.
I think what is needed is:
by way of being not set up anymore,
nor presenting impression of recommendation in release notes.
## Debian Reference
As for the entry document such as Debian Reference,
I should skip mentioning setting "APT::Default-Release" to whatever since
setting it in /etc/apt/apt.conf.d/* tends to cause persistent confusing setting.
If someone dare to set such thing, use /etc/apt/preferences with PIN priority.
I have such example already with ample warnings.
## man apt_preferences
What is written there is 100% correct. But it does create impression of using
APT::Default-Release "stable";
as a part of normal system configuration to some readers.
I think this document needs to explain apt system functionality thoroughly,
dropping use of `APT::Default-Release` reference may not be a option.
I propose to replace this line with
APT::Default-Release "testing";
I think this don't drive people to set this to "stable" as much.
If I go farther, to make deprecated usage of APT::Default-Release in
/etc/apt/apt.conf more explicit, I suggest that the following part:
Note that this has precedence over any general priority you set in the
/etc/apt/preferences file described later, but not over specifically pinned
packages. For example,
should be changed to something along:
Note that this has precedence over any general priority you set in the
/etc/apt/preferences file described later, but not over specifically pinned
packages. (In order to avoid confusion with /etc/apt/preferences settings,
use of APT::Default-Release in /etc/apt/apt.conf is deprecated.) For
example,
That's my thought on this topic.
Osamu
Max Nikulin
Sep 21, 2023, 11:10:05 AM9/21/23
to
On 18/09/2023 20:12, Osamu Aoki wrote:
>
> Since Bug#1041708 was mentioned, I CC it.
some actions.
> I propose to replace this line with
>
> APT::Default-Release "testing";
>
> I think this don't drive people to set this to "stable" as much.
is still misleading for Debian users since testing has security updates
as well, thus not so trivial regexp is preferred. apt.conf(5) has more
examples, but neither of them is close to what might be used in real life:
> Default-Release
>
> Default release to install packages from if more than one version is
> available. Contains release name, codename or release version. Examples:
> 'stable', 'testing', 'unstable', 'bookworm', 'trixie', '4.0', '5.0*'.
> See also apt_preferences(5).
I believe that explicit warnings against usage of APT::Default-Release
will be helpful for users.
I have not noticed issues with regexp and "apt-get source" or synaptic
in bookworm. Either they exist or not, mention of regexp as an option is
valuable from my point of view (with or without a warning concerning
lack of support in some tool). It will affect decision of those who are
aware of regexp from the bullseye release notes.
Osamu Aoki
Oct 29, 2023, 11:40:05 PM10/29/23
to
control: tags -1 pending
thanks
Hi,
On Thu, 2023-09-21 at 21:56 +0700, Max Nikulin wrote:
>
> On 18/09/2023 20:12, Osamu Aoki wrote:
> >
> > Since Bug#1041708 was mentioned, I CC it.
>
> It is marked as "done", so perhaps you need to reopen it if you expect
> some actions.
>
> > I propose to replace this line with
> >
> > APT::Default-Release "testing";
> >
> > I think this don't drive people to set this to "stable" as much.
>
> From my point of view it is a bit better, but hardly noticeable. And it
> is still misleading for Debian users since testing has security updates
> as well, thus not so trivial regexp is preferred. apt.conf(5) has more
> examples, but neither of them is close to what might be used in real life:
Although, repository for testing security updates exists, it is hardly used in
practice.
> > Default-Release
> >
> > Default release to install packages from if more than one version is
> > available. Contains release name, codename or release version. Examples:
> > 'stable', 'testing', 'unstable', 'bookworm', 'trixie', '4.0', '5.0*'.
> > See also apt_preferences(5).
>
> I believe that explicit warnings against usage of APT::Default-Release
> will be helpful for users.
>
> I have not noticed issues with regexp and "apt-get source" or synaptic
> in bookworm. Either they exist or not, mention of regexp as an option is
> valuable from my point of view (with or without a warning concerning
> lack of support in some tool). It will affect decision of those who are
> aware of regexp from the bullseye release notes.
>
I don't want to spend too much on past release related bugs (including
documentation). DR is an entry document so it shouldn't clutter. I decided to
change DR as follows by drop mentioning "APT::Default-Release "stable":
Current text:
line
* command line option, e.g., "apt-get install -t testing some-package"
Updated text:
The target release archive can be set by the command line option, e.g., "apt-get
install -t testing some-package"
For APT bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041708
this is outside of my control and it has been closed by the maintainer. So I
didn't CC this reply.
Regards,
Osamu
thanks
Hi,
On Thu, 2023-09-21 at 21:56 +0700, Max Nikulin wrote:
>
> On 18/09/2023 20:12, Osamu Aoki wrote:
> >
> > Since Bug#1041708 was mentioned, I CC it.
>
> It is marked as "done", so perhaps you need to reopen it if you expect
> some actions.
>
> > I propose to replace this line with
> >
> > APT::Default-Release "testing";
> >
> > I think this don't drive people to set this to "stable" as much.
>
> From my point of view it is a bit better, but hardly noticeable. And it
> is still misleading for Debian users since testing has security updates
> as well, thus not so trivial regexp is preferred. apt.conf(5) has more
> examples, but neither of them is close to what might be used in real life:
practice.
> > Default-Release
> >
> > Default release to install packages from if more than one version is
> > available. Contains release name, codename or release version. Examples:
> > 'stable', 'testing', 'unstable', 'bookworm', 'trixie', '4.0', '5.0*'.
> > See also apt_preferences(5).
>
> I believe that explicit warnings against usage of APT::Default-Release
> will be helpful for users.
>
> I have not noticed issues with regexp and "apt-get source" or synaptic
> in bookworm. Either they exist or not, mention of regexp as an option is
> valuable from my point of view (with or without a warning concerning
> lack of support in some tool). It will affect decision of those who are
> aware of regexp from the bullseye release notes.
>
documentation). DR is an entry document so it shouldn't clutter. I decided to
change DR as follows by drop mentioning "APT::Default-Release "stable":
Current text:
The target release archive can be set by several methods.
* "/etc/apt/apt.conf" configuration file with "APT::Default-Release "stable";"
line
* command line option, e.g., "apt-get install -t testing some-package"
Updated text:
The target release archive can be set by the command line option, e.g., "apt-get
install -t testing some-package"
For APT bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041708
this is outside of my control and it has been closed by the maintainer. So I
didn't CC this reply.
Regards,
Osamu
Max Nikulin
Oct 30, 2023, 6:50:05 AM10/30/23
to
On 30/10/2023 10:28, Osamu Aoki wrote:
> On Thu, 2023-09-21 at 21:56 +0700, Max Nikulin wrote:
>> On 18/09/2023 20:12, Osamu Aoki wrote:
>>>
>>> APT::Default-Release "testing";
>>>
>>> I think this don't drive people to set this to "stable" as much.
>>
>> From my point of view it is a bit better, but hardly noticeable. And it
>> is still misleading for Debian users since testing has security updates
>> as well, thus not so trivial regexp is preferred. apt.conf(5) has more
>> examples, but neither of them is close to what might be used in real life:
>
> Although, repository for testing security updates exists, it is hardly used in
> practice.
I feel some kind of miscommunication here. I was trying to say that
> On Thu, 2023-09-21 at 21:56 +0700, Max Nikulin wrote:
>> On 18/09/2023 20:12, Osamu Aoki wrote:
>>>
>>> APT::Default-Release "testing";
>>>
>>> I think this don't drive people to set this to "stable" as much.
>>
>> From my point of view it is a bit better, but hardly noticeable. And it
>> is still misleading for Debian users since testing has security updates
>> as well, thus not so trivial regexp is preferred. apt.conf(5) has more
>> examples, but neither of them is close to what might be used in real life:
>
> Although, repository for testing security updates exists, it is hardly used in
> practice.
APT::Default-Release "stable";
prevents updates from stable-security (bookworm-security). This
repository is rather important, it is configured by installer, it is
mentioned in various docs, e.g.
https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_debian_archive_basics
deb http://security.debian.org/debian-security bookworm-security main
non-free-firmware contrib non-free
I would not call it "hardly used". I agree that testing-security
repository is currently empty, but I assume, it may not be so during
late freeze stages. Moreover, having example for "testing", users may
try to blindly apply it for "stable".
> Updated text:
>
> The target release archive can be set by the command line option, e.g., "apt-get
> install -t testing some-package"
Osamu Aoki
Oct 30, 2023, 10:50:07 AM10/30/23
to
Hi,
On Mon, 2023-10-30 at 17:39 +0700, Max Nikulin wrote:
> On 30/10/2023 10:28, Osamu Aoki wrote:
> > On Thu, 2023-09-21 at 21:56 +0700, Max Nikulin wrote:
> > > On 18/09/2023 20:12, Osamu Aoki wrote:
> > > >
> > > > APT::Default-Release "testing";
> > > >
> > > > I think this don't drive people to set this to "stable" as much.
> > >
> > > From my point of view it is a bit better, but hardly noticeable. And it
> > > is still misleading for Debian users since testing has security updates
> > > as well, thus not so trivial regexp is preferred. apt.conf(5) has more
> > > examples, but neither of them is close to what might be used in real life:
> >
> > Although, repository for testing security updates exists, it is hardly used
> > in
> > practice.
>
> I feel some kind of miscommunication here. I was trying to say that
>
> APT::Default-Release "stable";
>
> prevents updates from stable-security (bookworm-security).
Yes, I know that is what you said.
"APT::Default-Release "testing";" is my initial improvement suggestion with
minimal change.
> This
> repository is rather important, it is configured by installer, it is
> mentioned in various docs, e.g.
> https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_debian_archive_basics
That is this document (my debian-reference) before this fix.
My comment was aimed at upstream APT manpage or elsewhere outside of my control
where I can't control.
> deb http://security.debian.org/debian-security bookworm-security main
> non-free-firmware contrib non-free
>
> I would not call it "hardly used".
I am talking about testing-security being hardly used.
> I agree that testing-security
> repository is currently empty, but I assume, it may not be so during
> late freeze stages. Moreover, having example for "testing", users may
> try to blindly apply it for "stable".
Release team has been saying not to expect testing-security to be used (with
developer resource limitation etc.)
If you care such risk, please use stable platform.
> > Updated text:
> >
> > The target release archive can be set by the command line option, e.g.,
> > "apt-get
> > install -t testing some-package"
>
> Thank you for improving of the docs. I consider the issue as fixed.
Good.
On Mon, 2023-10-30 at 17:39 +0700, Max Nikulin wrote:
> On 30/10/2023 10:28, Osamu Aoki wrote:
> > On Thu, 2023-09-21 at 21:56 +0700, Max Nikulin wrote:
> > > On 18/09/2023 20:12, Osamu Aoki wrote:
> > > >
> > > > APT::Default-Release "testing";
> > > >
> > > > I think this don't drive people to set this to "stable" as much.
> > >
> > > From my point of view it is a bit better, but hardly noticeable. And it
> > > is still misleading for Debian users since testing has security updates
> > > as well, thus not so trivial regexp is preferred. apt.conf(5) has more
> > > examples, but neither of them is close to what might be used in real life:
> >
> > Although, repository for testing security updates exists, it is hardly used
> > in
> > practice.
>
> I feel some kind of miscommunication here. I was trying to say that
>
> APT::Default-Release "stable";
>
> prevents updates from stable-security (bookworm-security).
"APT::Default-Release "testing";" is my initial improvement suggestion with
minimal change.
> This
> repository is rather important, it is configured by installer, it is
> mentioned in various docs, e.g.
> https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_debian_archive_basics
My comment was aimed at upstream APT manpage or elsewhere outside of my control
where I can't control.
> deb http://security.debian.org/debian-security bookworm-security main
> non-free-firmware contrib non-free
>
> I would not call it "hardly used".
> I agree that testing-security
> repository is currently empty, but I assume, it may not be so during
> late freeze stages. Moreover, having example for "testing", users may
> try to blindly apply it for "stable".
developer resource limitation etc.)
If you care such risk, please use stable platform.
> > Updated text:
> >
> > The target release archive can be set by the command line option, e.g.,
> > "apt-get
> > install -t testing some-package"
>
> Thank you for improving of the docs. I consider the issue as fixed.
0 new messages