Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution
On Tue, 10 Aug 2021 20:20:23 +0200
Paul Gevers <elbrus@debian.org> wrote:
> I learned yesterday that people that use APT pinning or
> APT::Default-Release may be missing out -updates if they pin to buster
> only. See the latest entry to the release notes [1, last paragraph] to
> cover the issue for bullseye-security. I'm obviously not sure if that
> happened here, but if the issue is the same on ci.d.n infrastructure, it
> would explain the failure there (the logs from yesterday there mention
> "Setting up shim-signed:arm64 (1.36~1+deb10u1+15.4-5~deb10u1)".
I have regained access to some cloud instances with that setup today.
Created them from an older backup, and I see that I do have in my apt.conf:
APT::Default-Release "buster";
APT::Install-Recommends "false";
And:
# apt-cache policy shim-signed
shim-signed:
Installed: 1.33+15+1533136590.3beb971-7
Candidate: 1.36~1+deb10u1+15.4-5~deb10u1
Version table:
1.36~1+deb10u2+15.4-5~deb10u1 500
500 https://deb.debian.org/debian buster-updates/main arm64 Packages
1.36~1+deb10u1+15.4-5~deb10u1 990
990 https://deb.debian.org/debian buster/main arm64 Packages
*** 1.33+15+1533136590.3beb971-7 100
100 /var/lib/dpkg/status
Indeed the "Candidate" to be installed is what is supposedly the broken
version.
After changing the config line to
APT::Default-Release "/^buster(|-security|-updates)$/";
the updated version is selected correctly.
It does not feel great to now have a version selection with such dire
consequences to rely on "the undocumented feature of APT".
(So I just chose to "aptitude hold" the old one for now instead).
> [1]
> https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive
It appears they meant "-updates" there, instead of typoed "-upgrades" in their
suggested config line, unless I'm missing something.
--
With respect,
Roman
Reply to: