Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
APT preferring `stable` over `stable-security`
57 views
Skip to first unread message
Stefan Monnier
Dec 26, 2023, 11:20:06 AM12/26/23
to
I noticed today that one of my machines was still running openssh
1:9.2p1-2+deb12u1 rather than 1:9.2p1-2+deb12u2 even though it is
supposed to do its unattended-upgrades, so I tried a manual upgrade and
the result was still the same.
Only after
apt install openssh-server/stable-security
did the machine get the new version :-(
The `sources.list` files says:
deb http://security.debian.org/ stable-security main
deb http://deb.debian.org/debian stable main
and the `apt.conf` says:
APT::Default-Release "stable";
Aptitude::CmdLine::Show-Deps "true";
APT::Periodic::Unattended-Upgrade "1";
Which I thought was the "normal" config (modulo the use of "stable"
instead of "bookworm") where the `stable-security` would automatically
take precedence when applicable. But it looks like the
`stable-security` repository is just not used at all!
What am I missing?
Stefan
1:9.2p1-2+deb12u1 rather than 1:9.2p1-2+deb12u2 even though it is
supposed to do its unattended-upgrades, so I tried a manual upgrade and
the result was still the same.
Only after
apt install openssh-server/stable-security
did the machine get the new version :-(
The `sources.list` files says:
deb http://security.debian.org/ stable-security main
deb http://deb.debian.org/debian stable main
and the `apt.conf` says:
APT::Default-Release "stable";
Aptitude::CmdLine::Show-Deps "true";
APT::Periodic::Unattended-Upgrade "1";
Which I thought was the "normal" config (modulo the use of "stable"
instead of "bookworm") where the `stable-security` would automatically
take precedence when applicable. But it looks like the
`stable-security` repository is just not used at all!
What am I missing?
Stefan
Charles Curley
Dec 26, 2023, 11:30:07 AM12/26/23
to
On Tue, 26 Dec 2023 11:12:01 -0500
Stefan Monnier <mon...@iro.umontreal.ca> wrote:
> The `sources.list` files says:
>
> deb http://security.debian.org/ stable-security main
> deb http://deb.debian.org/debian stable main
I take it this is bookworm. In that case, you also need:
Stefan Monnier <mon...@iro.umontreal.ca> wrote:
> The `sources.list` files says:
>
> deb http://security.debian.org/ stable-security main
> deb http://deb.debian.org/debian stable main
# bookworm-updates, to get updates before a point release is made;
# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
# deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
in your e/a/sources.list
You may also want backports; see the article mentioned in the stanza
above.
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
Dan Ritter
Dec 26, 2023, 11:40:06 AM12/26/23
to
(quoted entirely)
Maybe you have noticed examples like setting APT::Default-Release "stable"; or APT::Default-Release "bookworm";. It prevents installing security updates by apt upgrade, so avoid it. Instead of increasing priority of the current release, consider setting lower priority of added repositories through #apt_preferences (APT pinning). Since Debian 11 bullseye the security repository is labeled as stable-security and e.g. bookworm-security, so at least use regular expression matching all primary suites
APT::Default-Release "/^bookworm(|-security|-updates)$/";
-dsr-
Stefan Monnier
Dec 26, 2023, 11:40:06 AM12/26/23
to
>> The `sources.list` files says:
>>
>> deb http://security.debian.org/ stable-security main
>> deb http://deb.debian.org/debian stable main
>
> I take it this is bookworm. In that case, you also need:
>
> # bookworm-updates, to get updates before a point release is made;
> # see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
> deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
> # deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
>
> in your e/a/sources.list
Oh, so that's what this new `stable-updates` was about?
>>
>> deb http://security.debian.org/ stable-security main
>> deb http://deb.debian.org/debian stable main
>
> I take it this is bookworm. In that case, you also need:
>
> # bookworm-updates, to get updates before a point release is made;
> # see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
> deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
> # deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
>
> in your e/a/sources.list
But then what's the purpose of `stable-security` now?
Stefan
Stefan Monnier
Dec 26, 2023, 11:50:06 AM12/26/23
to
>> I take it this is bookworm. In that case, you also need:
>>
>> # bookworm-updates, to get updates before a point release is made;
>> # see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
>> deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
>> # deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
>>
>> in your e/a/sources.list
>
> Oh, so that's what this new `stable-updates` was about?
Hmm... looks like it's not sufficient.
>>
>> # bookworm-updates, to get updates before a point release is made;
>> # see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
>> deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
>> # deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
>>
>> in your e/a/sources.list
>
> Oh, so that's what this new `stable-updates` was about?
I added
deb http://deb.debian.org/debian stable-updates main
then did
apt update
apt upgrade
and it still didn't upgrade to `1:9.2p1-2+deb12u2`.
:-(
Stefan
Stefan Monnier
Dec 26, 2023, 12:20:06 PM12/26/23
to
>> What am I missing?
> https://wiki.debian.org/AptConfiguration#Be_careful_with_APT::Default-Release
Indeed! Thank you!
> https://wiki.debian.org/AptConfiguration#Be_careful_with_APT::Default-Release
Apparently the release notes didn't warn me loudly enough about it :-(
Stefan
Max Nikulin
Dec 26, 2023, 10:30:06 PM12/26/23
to
On 26/12/2023 23:23, Dan Ritter wrote:
>
> https://wiki.debian.org/AptConfiguration#Be_careful_with_APT::Default-Release
>
> (quoted entirely)
But omitting a couple of links to comments from developers that
>
> https://wiki.debian.org/AptConfiguration#Be_careful_with_APT::Default-Release
>
> (quoted entirely)
APT::Default-Release is deprecated.
A tool to debug issues with upgrades is
apt policy
that gives overview of configured repositories and their priority. When
a specific package is known use
apt policy openssh-client
0 new messages