[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution

On Tue, 10 Aug 2021 20:20:23 +0200
Paul Gevers <elbrus@debian.org> wrote:

> I learned yesterday that people that use APT pinning or
> APT::Default-Release may be missing out -updates if they pin to buster
> only. See the latest entry to the release notes [1, last paragraph] to
> cover the issue for bullseye-security. I'm obviously not sure if that
> happened here, but if the issue is the same on ci.d.n infrastructure, it
> would explain the failure there (the logs from yesterday there mention
> "Setting up shim-signed:arm64 (1.36~1+deb10u1+15.4-5~deb10u1)".

I have regained access to some cloud instances with that setup today.

Created them from an older backup, and I see that I do have in my apt.conf:

  APT::Default-Release "buster";
  APT::Install-Recommends "false";


# apt-cache policy shim-signed
  Installed: 1.33+15+1533136590.3beb971-7
  Candidate: 1.36~1+deb10u1+15.4-5~deb10u1
  Version table:
     1.36~1+deb10u2+15.4-5~deb10u1 500
        500 https://deb.debian.org/debian buster-updates/main arm64 Packages
     1.36~1+deb10u1+15.4-5~deb10u1 990
        990 https://deb.debian.org/debian buster/main arm64 Packages
 *** 1.33+15+1533136590.3beb971-7 100
        100 /var/lib/dpkg/status

Indeed the "Candidate" to be installed is what is supposedly the broken

After changing the config line to

  APT::Default-Release "/^buster(|-security|-updates)$/";

the updated version is selected correctly.

It does not feel great to now have a version selection with such dire
consequences to rely on "the undocumented feature of APT".

(So I just chose to "aptitude hold" the old one for now instead).

> [1]
> https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive

It appears they meant "-updates" there, instead of typoed "-upgrades" in their
suggested config line, unless I'm missing something.

With respect,

Reply to: