[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#913913: Bug#931524: security.debian.org: bullseye security updates may be silently skipped on systems using apt pinning

On Mon, Jul 08, 2019 at 08:26:50AM +0200, Piotr Engelking wrote:
> Julian Andres Klode <jak@debian.org>:
> 
> > > Now a=testing packages have higher priority than the a=testing-security
> > > ones, which results in security updates not being installed. Another
> > > method of pinning configuration, using APT::Default-Release, has
> > > exactly the same effect.
> >
> > And this is a good thing IMO, as you want to be able to pin release
> > over security.
> 
> Why? Anyway, this was already possible, using l=Debian and
> l=Debian-Security.

ugh.

> 
> > > * Change the suite from a=testing-security back to a=testing. This is
> > >   least work, but I don't know if it has any downsides I am unaware of.
> >
> > That means that testing-security does not work, as testing-security is
> > not testing and apt will complain.
> 
> Which diagnostics are you talking about? I wasn't able to find it.

e.g. for Ubuntu, using the devel symlink for eoan, you get:

W: Conflicting distribution: http://de1.archive.ubuntu.com/ubuntu devel InRelease (expected devel but got eoan)

Same thing would apply in this case and it would say:

W: Conflicting distribution: http://security.debian.org/debian-security testing-security InRelease (expected testing-security but got testing)

or it might even say "got bullseye", not entirely sure.

Anyhow, we've got two years to fix this, no need to rush a "fix" out
now.
-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en
Reply to: