Bug#929667: debian-installer doesn't install Recommends of linux-image-*

To: Patrick <patrick.kuijvenhoven@gmail.com>, 929667@bugs.debian.org
Subject: Bug#929667: debian-installer doesn't install Recommends of linux-image-*
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 28 May 2019 17:08:42 +0100
Message-id: <[🔎] acccd7c2b8b6d7eb7e3950c27d40325da570901c.camel@decadent.org.uk>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 929667@bugs.debian.org
In-reply-to: <[🔎] CAJPOrZoioWTU=dALxmqghtnPiEiQ=TYKC0SmJ=5tJz5+tZtJsw@mail.gmail.com>
References: <[🔎] CAJPOrZoioWTU=dALxmqghtnPiEiQ=TYKC0SmJ=5tJz5+tZtJsw@mail.gmail.com> <[🔎] CAJPOrZoioWTU=dALxmqghtnPiEiQ=TYKC0SmJ=5tJz5+tZtJsw@mail.gmail.com>

Control: tag -1 serious

On Tue, 2019-05-28 at 10:16 +0200, Patrick wrote:
> Package: debian-installer
> Version: 20190410
> 
> debian-installer doesn't install the Recommends of "linux-image-*".
> Apparently, this is by design since [1].
>
> The effects are:
> 1) For "buster", a clean install doesn't include "apparmor" and
> "firmware-linux-free" (both are Recommends for "linux-image-*"). This
> is curious, because [2] suggests "apparmor" is enabled by default,
> while it actually isn't.
> 2) A future kernel upgrade initiated by "apt" _WILL_ install the
> "Recommends", causing "apparmor" and "firmware-linux-free" to be
> installed at that stage.

There has (effectively) been a change in APT's behaviour since that
earlier commit.  "apt-get upgrade" does not install new packages unless
you use the --with-new-pkgs option.  However, the newer "apt upgrade"
command does install new dependencies and recommendations.

Because security upgrades sometimes introduce ABI changes and new
binary packages, we now recommend use of either
"apt-get upgrade --with-new-pkgs" or "apt upgrade" for all upgrades,
and since last year the installer uses the former.

> I think these effects are undesired. I'd suggest to use
> "APT::Install-Recommends true" when installing the linux image.

I agree that it's a serious problem that AppArmor may only be properly
enabled later, and I'm upgrading the severity accordingly.

I think that for at least the kernel installation,
APT::Install-Recommends should be set to the same value it will have in
the installed system, i.e. dependent on base-installer/install-
recommends.

However, I think we should revert this commit entirely.  The current
default behaviour is that *any* security update or other stable update
will cause the installation of its recommendations where they weren't
installed before, and that is likely to be quite surprising.

Ben.

> [1] https://salsa.debian.org/installer-team/base-installer/commit/53e3722a1376c4777701e453d03491b8090fefd2
> [2] https://www.debian.org/releases/buster/amd64/release-notes/ch-whats-new.en.html#apparmor
> 
-- 
Ben Hutchings
Make three consecutive correct guesses and you will be considered
an expert.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Bug#929667: debian-installer doesn't install Recommends of linux-image-*
  - From: Patrick <patrick.kuijvenhoven@gmail.com>

Prev by Date: Bug#929667: debian-installer doesn't install Recommends of linux-image-*
Next by Date: Processed: severity of 929667 is serious
Previous by thread: Bug#929667: debian-installer doesn't install Recommends of linux-image-*
Next by thread: Processed: severity of 929667 is serious
Index(es):
- Date
- Thread