Re: APT preferring `stable` over `stable-security`

[Dan Ritter <dsr@randomstring.org>]

Stefan Monnier wrote: 
> I noticed today that one of my machines was still running openssh
> 1:9.2p1-2+deb12u1 rather than  1:9.2p1-2+deb12u2 even though it is
> supposed to do its unattended-upgrades, so I tried a manual upgrade and
> the result was still the same.
> 
> Only after
> 
>     apt install openssh-server/stable-security
> 
> did the machine get the new version :-(
> 
> The `sources.list` files says:
> 
>     deb http://security.debian.org/ stable-security main
>     deb http://deb.debian.org/debian stable main
> 
> and the `apt.conf` says:
> 
>     APT::Default-Release "stable";
>     Aptitude::CmdLine::Show-Deps "true";
>     APT::Periodic::Unattended-Upgrade "1";
> 
> Which I thought was the "normal" config (modulo the use of "stable"
> instead of "bookworm") where the `stable-security` would automatically
> take precedence when applicable.  But it looks like the
> `stable-security` repository is just not used at all!
> 
> What am I missing?

https://wiki.debian.org/AptConfiguration#Be_careful_with_APT::Default-Release

(quoted entirely)

Maybe you have noticed examples like setting APT::Default-Release "stable"; or APT::Default-Release "bookworm";. It prevents installing security updates by apt upgrade, so avoid it. Instead of increasing priority of the current release, consider setting lower priority of added repositories through #apt_preferences (APT pinning). Since Debian 11 bullseye the security repository is labeled as stable-security and e.g. bookworm-security, so at least use regular expression matching all primary suites

APT::Default-Release "/^bookworm(|-security|-updates)$/";

-dsr-