Re: Bullseye security.debian.org codename misconfigured?

To: Debian-Security <debian-security@lists.debian.org>
Subject: Re: Bullseye security.debian.org codename misconfigured?
From: Cindy Sue Causey <butterflybytes@gmail.com>
Date: Sun, 23 Jan 2022 12:05:44 -0500
Message-id: <[🔎] CAO1P-kBrfAA9pAV0SKLKy2r5PnPo_2odv9sC0RcJ=M7FXOob2w@mail.gmail.com>
In-reply-to: <[🔎] d88d2826-6ef7-08c4-bd7f-ea28acd68298@sfritsch.de>
References: <[🔎] 298d3940-6769-cb9e-d735-0643af5de2b9@sfritsch.de> <[🔎] 87y237v8k2.fsf@miraculix.mork.no> <[🔎] d88d2826-6ef7-08c4-bd7f-ea28acd68298@sfritsch.de>

On 1/23/22, Stefan Fritsch <sf@sfritsch.de> wrote:
> Am 22.01.22 um 21:07 schrieb Bjørn Mork:
>> Stefan Fritsch <sf@sfritsch.de> writes:
>>
>>> # cat /etc/apt/apt.conf.d/11-default-release
>>> APT::Default-Release "bullseye";
>>
>> Just don't do that.  It breaks all normal preferences and will end up
>> preferring "bullseye" over anything else.  Including
>> "bullseye-security".
>
> This used to work until buster. But it turns out the release-notes
> mention this problem and the correct syntax is now:
>
> APT::Default-Release "/^bullseye(|-security|-updates)$/";
>
>
> The failure mode of silently not installing security updates is bad,
> though. But I don't see an easy way to fix that. Maybe apt should print
> a warning if one uses a simple codename as Default-Release?

Congratulations on finding the fix. That's cool. It falls in line with
how the repositories are declared.

With respect to a proposed warning, I spent years naively a-suming
that security updates were part of the primary, single line repository
declaration. A little 4-watt light bulb went off overhead during a
Debian-User exchange a couple years ago. Prior to that thread, I'd
been on outside security tech lists and had seen major update
advisories but could never figure out why I was not seeing those same
packages update on my Debian.

This type of ongoing warning might upset some longstanding Users...
unless there was a way to have it only be once a month.. or.. maybe
have a way to trigger it off permanently via the command line
interface for e.g. apt and apt-get.

Another alternative could evolve into a teaching moment by having a
warning state where to turn the warning OFF in e.g. an apt or apt-get
config file. It could be something like the very fix found for this
current thread.

That might lead newer users to explore those types of files more and
thus learn more about the inner workings of Debian. It was something
along those lines that triggered my interest in regularly tearing into
my own install's files a number of years ago now. :)

Cindy :)
-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA
* runs with birdseed *

Reply to:

References:
- Bullseye security.debian.org codename misconfigured?
  - From: Stefan Fritsch <sf@sfritsch.de>
- Re: Bullseye security.debian.org codename misconfigured?
  - From: Bjørn Mork <bjorn@mork.no>
- Re: Bullseye security.debian.org codename misconfigured?
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Re: Bullseye security.debian.org codename misconfigured?
Next by Date: A message from Zoom Video Communications, Inc. -- re: free / open source software licensing, security
Previous by thread: Re: Bullseye security.debian.org codename misconfigured?
Next by thread: A message from Zoom Video Communications, Inc. -- re: free / open source software licensing, security
Index(es):
- Date
- Thread