Bug#849382: [apt] Every package on the system gets silently upgraded to backports. The result is severe system breakage, malfunctioning and data loss.
On Mon, 26 Dec 2016 14:40:05 +0100 (CET) <34tg535@tutanota.com> wrote:
> I use Debian 8 64bit with GNOME installed with standard install
> procedure from netinstall and using tasksel. This occured to me the
> second time. First time was a year ago, I reinstalled Debian then and
> a year after this happens again. Both occurences were on Debian 8,
> stable at the time.
I have seen this as well and know under which circumstances this happens:
a) backports repository is enabled in source.list (obviously)
b) "apt update" is run and all normal repositories fail to download or
are invalid
When this happens, apt will happily upgrade all packages where a
backported version exists to that version.
Why?
Because of the pin value of a package in such a case. For example:
# apt-cache policy exim4
exim4:
Installed: 4.84.2-2+deb8u2
Candidate: 4.84.2-2+deb8u2
Version table:
4.88~RC6-2~bpo8+1 0
100 http://deb.debian.org/debian/ jessie-backports/main amd64
Packages
*** 4.84.2-2+deb8u2 0
500 http://deb.debian.org/debian-security/ jessie/updates/main
amd64 Packages
500 http://security.debian.org/ jessie/updates/main amd64 Packages
100 /var/lib/dpkg/status
4.84.2-2+deb8u1 0
500 http://deb.debian.org/debian/ jessie/main amd64 Packages
The backports pacakges has a value of 100 as has the installed package.
The package from the normal repository is at 500 and thus the candidate.
If the normal repositories fail to download and are invalid the
backported package and the installed package both are the only
candidates left (and are both at the same pin value) and because the
backported package has a higher version it is installed.
Workaround:
Have more than one mirror configured so that the chance is higher that
at least one is valid.
Grüße,
Sven.
Reply to: