Bug#1024260: marked as done (apt: An easy way to install only security updates)

To: David Kalnischkies <david@kalnischkies.de>
Subject: Bug#1024260: marked as done (apt: An easy way to install only security updates)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 16 Nov 2022 17:51:04 +0000
Message-id: <[🔎] handler.1024260.D1024260.16686209062070050.ackdone@bugs.debian.org>
Reply-to: 1024260@bugs.debian.org
References: <20221116174750.uwyvt2aealjrro5u@crossbow> <[🔎] 166861446697.675077.15966905637545760401.reportbug@salmin-dell>

Your message dated Wed, 16 Nov 2022 18:47:50 +0100
with message-id <20221116174750.uwyvt2aealjrro5u@crossbow>
and subject line Re: Bug#1024260: apt: An easy way to install only security updates
has caused the Debian Bug report #1024260,
regarding apt: An easy way to install only security updates
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1024260: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024260
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt: An easy way to install only security updates
From: Alexey Salmin <alexey.salmin+debianbugs@gmail.com>
Date: Wed, 16 Nov 2022 17:01:06 +0100
Message-id: <[🔎] 166861446697.675077.15966905637545760401.reportbug@salmin-dell>

Package: apt
Version: 2.0.9
Severity: wishlist

Dear Maintainer,

Please provide an easy one-line way to only install security updates.
This scenario is essential for the docker images. People need the
security updates but not the bloated image from other updates.

There's an interest for this feature in the community [1][2]. Current
solutions are bulky which makes them less likely to be adopted. Most
people just stick to outdated base images and install no updates at all.
This is very unfortunate and not good for the security in general.

I see two way how this could be done in a general non-hacky way:
1) Support "Suite" filter as a command-line option in apt-get.
2) Provide a separate sources-security.list into the default install,
then users can pick it with the '-o Dir::Etc::SourceList' option.

I'm not sure about the option (1), but option (2) looks very simple and
nevertheless would greatly improve the availability of security updates.

[1] https://serverfault.com/questions/270260/how-do-you-use-apt-get-to-only-install-critical-security-updates-on-ubuntu
[2] https://askubuntu.com/questions/194/how-can-i-install-just-security-updates-from-the-command-line

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "amd64";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "1";
APT::Install-Suggests "0";
APT::Sandbox "";
APT::Sandbox::User "_apt";
APT::Authentication "";
APT::Authentication::TrustCDROM "true";
APT::NeverAutoRemove "";
APT::NeverAutoRemove:: "^firmware-linux.*";
APT::NeverAutoRemove:: "^linux-firmware$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$";
APT::NeverAutoRemove:: "^postgresql-";
APT::VersionedKernelPackages "";
APT::VersionedKernelPackages:: "linux-.*";
APT::VersionedKernelPackages:: "kfreebsd-.*";
APT::VersionedKernelPackages:: "gnumach-.*";
APT::VersionedKernelPackages:: ".*-modules";
APT::VersionedKernelPackages:: ".*-kernel";
APT::Never-MarkAuto-Sections "";
APT::Never-MarkAuto-Sections:: "metapackages";
APT::Never-MarkAuto-Sections:: "contrib/metapackages";
APT::Never-MarkAuto-Sections:: "non-free/metapackages";
APT::Never-MarkAuto-Sections:: "restricted/metapackages";
APT::Never-MarkAuto-Sections:: "universe/metapackages";
APT::Never-MarkAuto-Sections:: "multiverse/metapackages";
APT::Move-Autobit-Sections "";
APT::Move-Autobit-Sections:: "oldlibs";
APT::Move-Autobit-Sections:: "contrib/oldlibs";
APT::Move-Autobit-Sections:: "non-free/oldlibs";
APT::Move-Autobit-Sections:: "restricted/oldlibs";
APT::Move-Autobit-Sections:: "universe/oldlibs";
APT::Move-Autobit-Sections:: "multiverse/oldlibs";
APT::Periodic "";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";
APT::Periodic::Unattended-Upgrade "1";
APT::Update "";
APT::Update::Post-Invoke-Success "";
APT::Update::Post-Invoke-Success:: "touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true";
APT::Update::Post-Invoke-Success:: "[ ! -f /var/run/dbus/system_bus_socket ] || /usr/bin/dbus-send --system --dest=org.debian.apt --type=signal /org/debian/apt org.debian.apt.CacheChanged || true";
APT::Update::Post-Invoke-Success:: "/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && /usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo > /dev/null";
APT::Update::Post-Invoke-Success:: "if /usr/bin/test -w /var/cache/app-info -a -e /usr/bin/appstreamcli; then appstreamcli refresh-cache > /dev/null || true; fi";
APT::Update::Post-Invoke-Success:: "if /usr/bin/test -w /var/lib/command-not-found/ -a -e /usr/lib/cnf-update-db; then /usr/lib/cnf-update-db > /dev/null; fi";
APT::Update::Post-Invoke-Success:: "/usr/lib/update-notifier/update-motd-updates-available 2>/dev/null || true";
APT::Update::Post-Invoke-Stats "";
APT::Update::Post-Invoke-Stats:: "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook post-invoke-stats || true";
APT::Install "";
APT::Install::Post-Invoke-Success "";
APT::Install::Post-Invoke-Success:: "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook post-invoke-success || true";
APT::Install::Pre-Invoke "";
APT::Install::Pre-Invoke:: "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke || true";
APT::Archives "";
APT::Archives::MaxAge "30";
APT::Archives::MinAge "2";
APT::Archives::MaxSize "500";
APT::Architectures "";
APT::Architectures:: "amd64";
APT::Architectures:: "i386";
APT::Compressor "";
APT::Compressor::. "";
APT::Compressor::.::Name ".";
APT::Compressor::.::Extension "";
APT::Compressor::.::Binary "";
APT::Compressor::.::Cost "0";
APT::Compressor::zstd "";
APT::Compressor::zstd::Name "zstd";
APT::Compressor::zstd::Extension ".zst";
APT::Compressor::zstd::Binary "false";
APT::Compressor::zstd::Cost "60";
APT::Compressor::lz4 "";
APT::Compressor::lz4::Name "lz4";
APT::Compressor::lz4::Extension ".lz4";
APT::Compressor::lz4::Binary "lz4";
APT::Compressor::lz4::Cost "50";
APT::Compressor::lz4::CompressArg "";
APT::Compressor::lz4::CompressArg:: "-1";
APT::Compressor::lz4::UncompressArg "";
APT::Compressor::lz4::UncompressArg:: "-d";
APT::Compressor::gzip "";
APT::Compressor::gzip::Name "gzip";
APT::Compressor::gzip::Extension ".gz";
APT::Compressor::gzip::Binary "gzip";
APT::Compressor::gzip::Cost "100";
APT::Compressor::gzip::CompressArg "";
APT::Compressor::gzip::CompressArg:: "-6n";
APT::Compressor::gzip::UncompressArg "";
APT::Compressor::gzip::UncompressArg:: "-d";
APT::Compressor::xz "";
APT::Compressor::xz::Name "xz";
APT::Compressor::xz::Extension ".xz";
APT::Compressor::xz::Binary "xz";
APT::Compressor::xz::Cost "200";
APT::Compressor::xz::CompressArg "";
APT::Compressor::xz::CompressArg:: "-6";
APT::Compressor::xz::UncompressArg "";
APT::Compressor::xz::UncompressArg:: "-d";
APT::Compressor::bzip2 "";
APT::Compressor::bzip2::Name "bzip2";
APT::Compressor::bzip2::Extension ".bz2";
APT::Compressor::bzip2::Binary "bzip2";
APT::Compressor::bzip2::Cost "300";
APT::Compressor::bzip2::CompressArg "";
APT::Compressor::bzip2::CompressArg:: "-6";
APT::Compressor::bzip2::UncompressArg "";
APT::Compressor::bzip2::UncompressArg:: "-d";
APT::Compressor::lzma "";
APT::Compressor::lzma::Name "lzma";
APT::Compressor::lzma::Extension ".lzma";
APT::Compressor::lzma::Binary "xz";
APT::Compressor::lzma::Cost "400";
APT::Compressor::lzma::CompressArg "";
APT::Compressor::lzma::CompressArg:: "--format=lzma";
APT::Compressor::lzma::CompressArg:: "-6";
APT::Compressor::lzma::UncompressArg "";
APT::Compressor::lzma::UncompressArg:: "--format=lzma";
APT::Compressor::lzma::UncompressArg:: "-d";
Dir "/";
Dir::State "var/lib/apt";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::extended_states "extended_states";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::netrc "auth.conf";
Dir::Etc::netrcparts "auth.conf.d";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Etc::preferencesparts "preferences.d";
Dir::Etc::trusted "trusted.gpg";
Dir::Etc::trustedparts "trusted.gpg.d";
Dir::Etc::apt-file-main "apt-file.conf";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::solvers "";
Dir::Bin::solvers:: "/usr/lib/apt/solvers";
Dir::Bin::planners "";
Dir::Bin::planners:: "/usr/lib/apt/planners";
Dir::Bin::dpkg "/usr/bin/dpkg";
Dir::Bin::gzip "/bin/gzip";
Dir::Bin::bzip2 "/bin/bzip2";
Dir::Bin::xz "/usr/bin/xz";
Dir::Bin::lz4 "/usr/bin/lz4";
Dir::Bin::zstd "/usr/bin/zstd";
Dir::Bin::lzma "/usr/bin/xz";
Dir::Media "";
Dir::Media::MountPath "/media/apt";
Dir::Log "var/log/apt";
Dir::Log::Terminal "term.log";
Dir::Log::History "history.log";
Dir::Log::Planner "eipp.log.xz";
Dir::Ignore-Files-Silently "";
Dir::Ignore-Files-Silently:: "~$";
Dir::Ignore-Files-Silently:: "\.disabled$";
Dir::Ignore-Files-Silently:: "\.bak$";
Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$";
Dir::Ignore-Files-Silently:: "\.ucf-[a-z]+$";
Dir::Ignore-Files-Silently:: "\.save$";
Dir::Ignore-Files-Silently:: "\.orig$";
Dir::Ignore-Files-Silently:: "\.distUpgrade$";
Acquire "";
Acquire::AllowInsecureRepositories "0";
Acquire::AllowWeakRepositories "0";
Acquire::AllowDowngradeToInsecureRepositories "0";
Acquire::cdrom "";
Acquire::cdrom::mount "/media/cdrom/";
Acquire::IndexTargets "";
Acquire::IndexTargets::deb "";
Acquire::IndexTargets::deb::Packages "";
Acquire::IndexTargets::deb::Packages::MetaKey "$(COMPONENT)/binary-$(ARCHITECTURE)/Packages";
Acquire::IndexTargets::deb::Packages::flatMetaKey "Packages";
Acquire::IndexTargets::deb::Packages::ShortDescription "Packages";
Acquire::IndexTargets::deb::Packages::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Packages";
Acquire::IndexTargets::deb::Packages::flatDescription "$(RELEASE) Packages";
Acquire::IndexTargets::deb::Packages::Optional "0";
Acquire::IndexTargets::deb::Translations "";
Acquire::IndexTargets::deb::Translations::MetaKey "$(COMPONENT)/i18n/Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::flatMetaKey "$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::ShortDescription "Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::Description "$(RELEASE)/$(COMPONENT) Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::flatDescription "$(RELEASE) Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::DEP-11 "";
Acquire::IndexTargets::deb::DEP-11::MetaKey "$(COMPONENT)/dep11/Components-$(NATIVE_ARCHITECTURE).yml";
Acquire::IndexTargets::deb::DEP-11::ShortDescription "Components-$(NATIVE_ARCHITECTURE)";
Acquire::IndexTargets::deb::DEP-11::Description "$(RELEASE)/$(COMPONENT) $(NATIVE_ARCHITECTURE) DEP-11 Metadata";
Acquire::IndexTargets::deb::DEP-11::KeepCompressed "true";
Acquire::IndexTargets::deb::DEP-11::KeepCompressedAs "gz";
Acquire::IndexTargets::deb::DEP-11-icons-small "";
Acquire::IndexTargets::deb::DEP-11-icons-small::MetaKey "$(COMPONENT)/dep11/icons-48x48.tar";
Acquire::IndexTargets::deb::DEP-11-icons-small::ShortDescription "icons-48x48";
Acquire::IndexTargets::deb::DEP-11-icons-small::Description "$(RELEASE)/$(COMPONENT) DEP-11 48x48 Icons";
Acquire::IndexTargets::deb::DEP-11-icons-small::KeepCompressed "true";
Acquire::IndexTargets::deb::DEP-11-icons-small::KeepCompressedAs "gz";
Acquire::IndexTargets::deb::DEP-11-icons-small::DefaultEnabled "true";
Acquire::IndexTargets::deb::DEP-11-icons "";
Acquire::IndexTargets::deb::DEP-11-icons::MetaKey "$(COMPONENT)/dep11/icons-64x64.tar";
Acquire::IndexTargets::deb::DEP-11-icons::ShortDescription "icons-64x64";
Acquire::IndexTargets::deb::DEP-11-icons::Description "$(RELEASE)/$(COMPONENT) DEP-11 64x64 Icons";
Acquire::IndexTargets::deb::DEP-11-icons::KeepCompressed "true";
Acquire::IndexTargets::deb::DEP-11-icons::KeepCompressedAs "gz";
Acquire::IndexTargets::deb::DEP-11-icons::DefaultEnabled "true";
Acquire::IndexTargets::deb::DEP-11-icons-hidpi "";
Acquire::IndexTargets::deb::DEP-11-icons-hidpi::MetaKey "$(COMPONENT)/dep11/icons-64x64@2.tar";
Acquire::IndexTargets::deb::DEP-11-icons-hidpi::ShortDescription "icons-64x64@2";
Acquire::IndexTargets::deb::DEP-11-icons-hidpi::Description "$(RELEASE)/$(COMPONENT) DEP-11 64x64@2 Icons";
Acquire::IndexTargets::deb::DEP-11-icons-hidpi::KeepCompressed "true";
Acquire::IndexTargets::deb::DEP-11-icons-hidpi::KeepCompressedAs "gz";
Acquire::IndexTargets::deb::DEP-11-icons-hidpi::DefaultEnabled "true";
Acquire::IndexTargets::deb::DEP-11-icons-large "";
Acquire::IndexTargets::deb::DEP-11-icons-large::MetaKey "$(COMPONENT)/dep11/icons-128x128.tar";
Acquire::IndexTargets::deb::DEP-11-icons-large::ShortDescription "icons-128x128";
Acquire::IndexTargets::deb::DEP-11-icons-large::Description "$(RELEASE)/$(COMPONENT) DEP-11 128x128 Icons";
Acquire::IndexTargets::deb::DEP-11-icons-large::KeepCompressed "true";
Acquire::IndexTargets::deb::DEP-11-icons-large::KeepCompressedAs "gz";
Acquire::IndexTargets::deb::DEP-11-icons-large::DefaultEnabled "false";
Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi "";
Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi::MetaKey "$(COMPONENT)/dep11/icons-128x128@2.tar";
Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi::ShortDescription "icons-128x128@2";
Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi::Description "$(RELEASE)/$(COMPONENT) DEP-11 128x128@2 Icons";
Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi::KeepCompressed "true";
Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi::KeepCompressedAs "gz";
Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi::DefaultEnabled "false";
Acquire::IndexTargets::deb::Contents-deb "";
Acquire::IndexTargets::deb::Contents-deb::MetaKey "$(COMPONENT)/Contents-$(ARCHITECTURE)";
Acquire::IndexTargets::deb::Contents-deb::ShortDescription "Contents-$(ARCHITECTURE)";
Acquire::IndexTargets::deb::Contents-deb::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Contents (deb)";
Acquire::IndexTargets::deb::Contents-deb::flatMetaKey "Contents-$(ARCHITECTURE)";
Acquire::IndexTargets::deb::Contents-deb::flatDescription "$(RELEASE) Contents (deb)";
Acquire::IndexTargets::deb::Contents-deb::PDiffs "true";
Acquire::IndexTargets::deb::Contents-deb::KeepCompressed "true";
Acquire::IndexTargets::deb::Contents-udeb "";
Acquire::IndexTargets::deb::Contents-udeb::MetaKey "$(COMPONENT)/Contents-udeb-$(ARCHITECTURE)";
Acquire::IndexTargets::deb::Contents-udeb::ShortDescription "Contents-udeb-$(ARCHITECTURE)";
Acquire::IndexTargets::deb::Contents-udeb::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Contents (udeb)";
Acquire::IndexTargets::deb::Contents-udeb::flatMetaKey "Contents-udeb-$(ARCHITECTURE)";
Acquire::IndexTargets::deb::Contents-udeb::flatDescription "$(RELEASE) Contents (udeb)";
Acquire::IndexTargets::deb::Contents-udeb::KeepCompressed "true";
Acquire::IndexTargets::deb::Contents-udeb::PDiffs "true";
Acquire::IndexTargets::deb::Contents-udeb::DefaultEnabled "false";
Acquire::IndexTargets::deb::Contents-deb-legacy "";
Acquire::IndexTargets::deb::Contents-deb-legacy::MetaKey "Contents-$(ARCHITECTURE)";
Acquire::IndexTargets::deb::Contents-deb-legacy::ShortDescription "Contents-$(ARCHITECTURE)";
Acquire::IndexTargets::deb::Contents-deb-legacy::Description "$(RELEASE) $(ARCHITECTURE) Contents (deb)";
Acquire::IndexTargets::deb::Contents-deb-legacy::PDiffs "true";
Acquire::IndexTargets::deb::Contents-deb-legacy::KeepCompressed "true";
Acquire::IndexTargets::deb::Contents-deb-legacy::Fallback-Of "Contents-deb";
Acquire::IndexTargets::deb::Contents-deb-legacy::Identifier "Contents-deb";
Acquire::IndexTargets::deb::CNF "";
Acquire::IndexTargets::deb::CNF::MetaKey "$(COMPONENT)/cnf/Commands-$(NATIVE_ARCHITECTURE)";
Acquire::IndexTargets::deb::CNF::ShortDescription "Commands-$(NATIVE_ARCHITECTURE)";
Acquire::IndexTargets::deb::CNF::Description "$(RELEASE)/$(COMPONENT) $(NATIVE_ARCHITECTURE) c-n-f Metadata";
Acquire::IndexTargets::deb-src "";
Acquire::IndexTargets::deb-src::Sources "";
Acquire::IndexTargets::deb-src::Sources::MetaKey "$(COMPONENT)/source/Sources";
Acquire::IndexTargets::deb-src::Sources::flatMetaKey "Sources";
Acquire::IndexTargets::deb-src::Sources::ShortDescription "Sources";
Acquire::IndexTargets::deb-src::Sources::Description "$(RELEASE)/$(COMPONENT) Sources";
Acquire::IndexTargets::deb-src::Sources::flatDescription "$(RELEASE) Sources";
Acquire::IndexTargets::deb-src::Sources::Optional "0";
Acquire::IndexTargets::deb-src::Contents-dsc "";
Acquire::IndexTargets::deb-src::Contents-dsc::MetaKey "$(COMPONENT)/Contents-source";
Acquire::IndexTargets::deb-src::Contents-dsc::ShortDescription "Contents-source";
Acquire::IndexTargets::deb-src::Contents-dsc::Description "$(RELEASE)/$(COMPONENT) source Contents (dsc)";
Acquire::IndexTargets::deb-src::Contents-dsc::flatMetaKey "Contents-source";
Acquire::IndexTargets::deb-src::Contents-dsc::flatDescription "$(RELEASE) Contents (dsc)";
Acquire::IndexTargets::deb-src::Contents-dsc::PDiffs "true";
Acquire::IndexTargets::deb-src::Contents-dsc::KeepCompressed "true";
Acquire::IndexTargets::deb-src::Contents-dsc::DefaultEnabled "false";
Acquire::Changelogs "";
Acquire::Changelogs::URI "";
Acquire::Changelogs::URI::Origin "";
Acquire::Changelogs::URI::Origin::Debian "https://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";;
Acquire::Changelogs::URI::Origin::Ubuntu "https://changelogs.ubuntu.com/changelogs/pool/@CHANGEPATH@/changelog";;
Acquire::Changelogs::AlwaysOnline "true";
Acquire::Changelogs::AlwaysOnline::Origin "";
Acquire::Changelogs::AlwaysOnline::Origin::Ubuntu "1";
Acquire::http "";
Acquire::http::User-Agent-Non-Interactive "true";
Acquire::Languages "";
Acquire::Languages:: "en";
Acquire::Languages:: "none";
Acquire::CompressionTypes "";
Acquire::CompressionTypes::xz "xz";
Acquire::CompressionTypes::bz2 "bzip2";
Acquire::CompressionTypes::lzma "lzma";
Acquire::CompressionTypes::gz "gzip";
Acquire::CompressionTypes::lz4 "lz4";
Acquire::CompressionTypes::zst "zstd";
DPkg "";
DPkg::Path "/usr/sbin:/usr/bin:/sbin:/bin";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && /usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo > /dev/null";
DPkg::Post-Invoke:: "if [ -d /var/lib/update-notifier ]; then touch /var/lib/update-notifier/dpkg-run-stamp; fi; /usr/lib/update-notifier/update-motd-updates-available 2>/dev/null || true";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
Aptitude "";
Aptitude::Get-Root-Command "sudo:/usr/bin/sudo";
AptCli "";
AptCli::Hooks "";
AptCli::Hooks::Upgrade "";
AptCli::Hooks::Upgrade:: "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-json-hook ] || /usr/lib/ubuntu-advantage/apt-esm-json-hook || true";
AptCli::Hooks::Install "";
AptCli::Hooks::Install:: "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true";
apt-file "";
apt-file::Index-Names "deb";
apt-file::Parser "";
apt-file::Parser::Check-For-Description-Header "false";
Unattended-Upgrade "";
Unattended-Upgrade::Allowed-Origins "";
Unattended-Upgrade::Allowed-Origins:: "${distro_id}:${distro_codename}";
Unattended-Upgrade::Allowed-Origins:: "${distro_id}:${distro_codename}-security";
Unattended-Upgrade::Allowed-Origins:: "${distro_id}ESMApps:${distro_codename}-apps-security";
Unattended-Upgrade::Allowed-Origins:: "${distro_id}ESM:${distro_codename}-infra-security";
Unattended-Upgrade::DevRelease "auto";
Binary "apt-config";
Binary::apt "";
Binary::apt::APT "";
Binary::apt::APT::Color "1";
Binary::apt::APT::Cache "";
Binary::apt::APT::Cache::Show "";
Binary::apt::APT::Cache::Show::Version "2";
Binary::apt::APT::Cache::AllVersions "0";
Binary::apt::APT::Cache::ShowVirtuals "1";
Binary::apt::APT::Cache::Search "";
Binary::apt::APT::Cache::Search::Version "2";
Binary::apt::APT::Cache::ShowDependencyType "1";
Binary::apt::APT::Cache::ShowVersion "1";
Binary::apt::APT::Get "";
Binary::apt::APT::Get::Upgrade-Allow-New "1";
Binary::apt::APT::Get::Update "";
Binary::apt::APT::Get::Update::InteractiveReleaseInfoChanges "1";
Binary::apt::APT::Cmd "";
Binary::apt::APT::Cmd::Show-Update-Stats "1";
Binary::apt::APT::Cmd::Pattern-Only "1";
Binary::apt::APT::Keep-Downloaded-Packages "0";
Binary::apt::DPkg "";
Binary::apt::DPkg::Progress-Fancy "1";
Binary::apt::DPkg::Lock "";
Binary::apt::DPkg::Lock::Timeout "-1";
CommandLine "";
CommandLine::AsString "apt-config dump";

-- (no /etc/apt/preferences present) --


-- (no /etc/apt/preferences.d/* present) --


-- /etc/apt/sources.list --

# deb cdrom:[Ubuntu 20.04.3 LTS _Focal Fossa_ - Release amd64 (20210819)]/ focal main restricted

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://fr.archive.ubuntu.com/ubuntu/ focal main restricted
# deb-src http://fr.archive.ubuntu.com/ubuntu/ focal main restricted

#  # Major bug fix updates produced after the final release of the
#  # distribution.
deb http://fr.archive.ubuntu.com/ubuntu/ focal-updates main restricted
# deb-src http://fr.archive.ubuntu.com/ubuntu/ focal-updates main restricted

#  # N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
#  # team. Also, please note that software in universe WILL NOT receive any
#  # review or updates from the Ubuntu security team.
deb http://fr.archive.ubuntu.com/ubuntu/ focal universe
# deb-src http://fr.archive.ubuntu.com/ubuntu/ focal universe
deb http://fr.archive.ubuntu.com/ubuntu/ focal-updates universe
# deb-src http://fr.archive.ubuntu.com/ubuntu/ focal-updates universe

#  # N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
#  # team, and may not be under a free licence. Please satisfy yourself as to
#  # your rights to use the software. Also, please note that software in
#  # multiverse WILL NOT receive any review or updates from the Ubuntu
#  # security team.
deb http://fr.archive.ubuntu.com/ubuntu/ focal multiverse
# deb-src http://fr.archive.ubuntu.com/ubuntu/ focal multiverse
deb http://fr.archive.ubuntu.com/ubuntu/ focal-updates multiverse
# deb-src http://fr.archive.ubuntu.com/ubuntu/ focal-updates multiverse

#  # N.B. software from this repository may not have been tested as
#  # extensively as that contained in the main release, although it includes
#  # newer versions of some applications which may provide useful features.
#  # Also, please note that software in backports WILL NOT receive any review
#  # or updates from the Ubuntu security team.
deb http://fr.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse
# deb-src http://fr.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse

#  # Uncomment the following two lines to add software from Canonical's
#  # 'partner' repository.
#  # This software is not part of Ubuntu, but is offered by Canonical and the
#  # respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu focal partner
# deb-src http://archive.canonical.com/ubuntu focal partner

deb http://security.ubuntu.com/ubuntu focal-security main restricted
# deb-src http://security.ubuntu.com/ubuntu focal-security main restricted
deb http://security.ubuntu.com/ubuntu focal-security universe
# deb-src http://security.ubuntu.com/ubuntu focal-security universe
deb http://security.ubuntu.com/ubuntu focal-security multiverse
# deb-src http://security.ubuntu.com/ubuntu focal-security multiverse

# This system was installed using small removable media
# (e.g. netinst, live or single CD). The matching "deb cdrom"
# entries were disabled at the end of the installation process.
# For information about how to configure apt package sources,
# see the sources.list(5) manual.

-- (/etc/apt/sources.list.d/docker.list present, but not submitted) --


-- (/etc/apt/sources.list.d/google-chrome.list present, but not submitted) --


-- (/etc/apt/sources.list.d/hashicorp.list present, but not submitted) --


-- (/etc/apt/sources.list.d/pgadmin4.list present, but not submitted) --


-- (/etc/apt/sources.list.d/slack.list present, but not submitted) --


-- (/etc/apt/sources.list.d/yandex-beta.list present, but not submitted) --


-- System Information:
Debian Release: bullseye/sid
  APT prefers focal-updates
  APT policy: (500, 'focal-updates'), (500, 'focal-security'), (500, 'focal'), (100, 'focal-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-52-generic (SMP w/8 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apt depends on:
ii  adduser         3.118ubuntu2
ii  gpgv            2.2.19-3ubuntu2.2
ii  libapt-pkg6.0   2.0.9
ii  libc6           2.31-0ubuntu9.9
ii  libgcc-s1       10.3.0-1ubuntu1~20.04
ii  libgnutls30     3.6.13-2ubuntu1.7
ii  libseccomp2     2.5.1-1ubuntu1~20.04.2
ii  libstdc++6      10.3.0-1ubuntu1~20.04
ii  libsystemd0     245.4-4ubuntu3.18
ii  ubuntu-keyring  2020.02.11.4

Versions of packages apt recommends:
ii  ca-certificates  20211016~20.04.1

Versions of packages apt suggests:
pn  apt-doc                      <none>
pn  aptitude | synaptic | wajig  <none>
ii  dpkg-dev                     1.19.7ubuntu3.2
ii  gnupg                        2.2.19-3ubuntu2.2
ii  powermgmt-base               1.36

-- no debconf information

--- End Message ---

--- Begin Message ---

To: Alexey Salmin <alexey.salmin+debianbugs@gmail.com>, 1024260-done@bugs.debian.org
Subject: Re: Bug#1024260: apt: An easy way to install only security updates
From: David Kalnischkies <david@kalnischkies.de>
Date: Wed, 16 Nov 2022 18:47:50 +0100
Message-id: <20221116174750.uwyvt2aealjrro5u@crossbow>
In-reply-to: <[🔎] 166861446697.675077.15966905637545760401.reportbug@salmin-dell>
References: <[🔎] 166861446697.675077.15966905637545760401.reportbug@salmin-dell>

On Wed, Nov 16, 2022 at 05:01:06PM +0100, Alexey Salmin wrote:
> I see two way how this could be done in a general non-hacky way:
> 1) Support "Suite" filter as a command-line option in apt-get.

That is technically already available via --target-release (-t) assuming
the repository providing these critical updates (whatever that is) uses
a different suite name than the others AND your pinning is setup up
accordingly. Both is not in the hands of apt.

> 2) Provide a separate sources-security.list into the default install,
> then users can pick it with the '-o Dir::Etc::SourceList' option.

That would also be a request for whatever configures apt (like the
installer or … your image builder?) as apt comes with no sources by
default.

Different distros will have different repositories, names, setups and
customs so apt couldn't even if we tried.

> I'm not sure about the option (1), but option (2) looks very simple and
> nevertheless would greatly improve the availability of security updates.
> 
> [1] https://serverfault.com/questions/270260/how-do-you-use-apt-get-to-only-install-critical-security-updates-on-ubuntu
> [2] https://askubuntu.com/questions/194/how-can-i-install-just-security-updates-from-the-command-line

I don't think so. You are talking only about Ubuntu and I don't know
that distro much, but I presume they aren't super-different to Debian,
where on stable (whatever letter in Ubuntu is current, in Debian that
would be bullseye at the moment) every update you get is an important
upgrade you should apply, regardless of it coming via bullseye,
bullseye-updates or bullseye-security… (that is, upgrades tend to
flow from the later to the earlier so if you don't upgrade for months,
all the security upgrades will seem to come from bullseye directly).

Okay, sometimes packages need to be updated to fix non-security
problems, like the $videoplatform-downloader adapting to changed APIs,
but that might very well be just (or even more) critical a problem than
all security upgrades combined depending on your specific system & use
cases. stable doesn't get upgrades just for the fun of it. That's the
whole point and why its called "stable".

If we aren't talking stable system, but testing or even unstable it
would be interesting to only install security upgrades, but those do
not really exist (as usually a new upstream rather than a backport is
brought in to fix a problem and is hence indistinguishable usually
from an upgrade not fixing anything) and tend to depend on other
"unimportant" updates, too – like a browser fixing 10 CVEs in its newest
upstream release build against the newest libc not fixing any (known)
bugs, which also pulls in … aka: partial upgrade problem. Usually not
worth the hassle.

Okay, there is of course one big elephant in the room here: What about
the repositories not providing sensible security upgrades like the
hodgepodge of third-party/PPAs/you-name-it you might have also in your
sources… well, that remains a configuration issue as apt has no idea
what idea of security support a given repository has – I presume at
times, not even the maintainer of some of them knows. That is why
configuring unattended-upgrades can be a challenge. That is more than
you ask here through, you aim for attended-upgrades…

So, yeah, I don't see any possible angle for us as APT maintainers to do
here anything, so I am closing as not-a-bug (for us). It might very well
be a bug for things working with apt though, but not very useful to keep
it unactionable here.

Best regards

David Kalnischkies

P.S.: Isn't it like the whole point of Docker and Co that you have an
automatic way of rebuilding images all the time to incorporate upgrades?
What's the point if nobody uses that…

Attachment: signature.asc
Description: PGP signature

--- End Message ---

Reply to:

References:
- Bug#1024260: apt: An easy way to install only security updates
  - From: Alexey Salmin <alexey.salmin+debianbugs@gmail.com>

Prev by Date: Bug#1024260: apt: An easy way to install only security updates
Next by Date: Re: From Mrs Prisca Andrew ( You Are God's Choice )
Previous by thread: Bug#1024260: apt: An easy way to install only security updates
Next by thread: RFC on doc-multiarch-spec
Index(es):
- Date
- Thread