Your message dated Wed, 16 Nov 2022 18:47:50 +0100 with message-id <20221116174750.uwyvt2aealjrro5u@crossbow> and subject line Re: Bug#1024260: apt: An easy way to install only security updates has caused the Debian Bug report #1024260, regarding apt: An easy way to install only security updates to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1024260: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024260 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt: An easy way to install only security updates
- From: Alexey Salmin <alexey.salmin+debianbugs@gmail.com>
- Date: Wed, 16 Nov 2022 17:01:06 +0100
- Message-id: <[🔎] 166861446697.675077.15966905637545760401.reportbug@salmin-dell>
Package: apt Version: 2.0.9 Severity: wishlist Dear Maintainer, Please provide an easy one-line way to only install security updates. This scenario is essential for the docker images. People need the security updates but not the bloated image from other updates. There's an interest for this feature in the community [1][2]. Current solutions are bulky which makes them less likely to be adopted. Most people just stick to outdated base images and install no updates at all. This is very unfortunate and not good for the security in general. I see two way how this could be done in a general non-hacky way: 1) Support "Suite" filter as a command-line option in apt-get. 2) Provide a separate sources-security.list into the default install, then users can pick it with the '-o Dir::Etc::SourceList' option. I'm not sure about the option (1), but option (2) looks very simple and nevertheless would greatly improve the availability of security updates. [1] https://serverfault.com/questions/270260/how-do-you-use-apt-get-to-only-install-critical-security-updates-on-ubuntu [2] https://askubuntu.com/questions/194/how-can-i-install-just-security-updates-from-the-command-line -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "amd64"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "1"; APT::Install-Suggests "0"; APT::Sandbox ""; APT::Sandbox::User "_apt"; APT::Authentication ""; APT::Authentication::TrustCDROM "true"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$"; APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$"; APT::NeverAutoRemove:: "^postgresql-"; APT::VersionedKernelPackages ""; APT::VersionedKernelPackages:: "linux-.*"; APT::VersionedKernelPackages:: "kfreebsd-.*"; APT::VersionedKernelPackages:: "gnumach-.*"; APT::VersionedKernelPackages:: ".*-modules"; APT::VersionedKernelPackages:: ".*-kernel"; APT::Never-MarkAuto-Sections ""; APT::Never-MarkAuto-Sections:: "metapackages"; APT::Never-MarkAuto-Sections:: "contrib/metapackages"; APT::Never-MarkAuto-Sections:: "non-free/metapackages"; APT::Never-MarkAuto-Sections:: "restricted/metapackages"; APT::Never-MarkAuto-Sections:: "universe/metapackages"; APT::Never-MarkAuto-Sections:: "multiverse/metapackages"; APT::Move-Autobit-Sections ""; APT::Move-Autobit-Sections:: "oldlibs"; APT::Move-Autobit-Sections:: "contrib/oldlibs"; APT::Move-Autobit-Sections:: "non-free/oldlibs"; APT::Move-Autobit-Sections:: "restricted/oldlibs"; APT::Move-Autobit-Sections:: "universe/oldlibs"; APT::Move-Autobit-Sections:: "multiverse/oldlibs"; APT::Periodic ""; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "0"; APT::Periodic::AutocleanInterval "0"; APT::Periodic::Unattended-Upgrade "1"; APT::Update ""; APT::Update::Post-Invoke-Success ""; APT::Update::Post-Invoke-Success:: "touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true"; APT::Update::Post-Invoke-Success:: "[ ! -f /var/run/dbus/system_bus_socket ] || /usr/bin/dbus-send --system --dest=org.debian.apt --type=signal /org/debian/apt org.debian.apt.CacheChanged || true"; APT::Update::Post-Invoke-Success:: "/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && /usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo > /dev/null"; APT::Update::Post-Invoke-Success:: "if /usr/bin/test -w /var/cache/app-info -a -e /usr/bin/appstreamcli; then appstreamcli refresh-cache > /dev/null || true; fi"; APT::Update::Post-Invoke-Success:: "if /usr/bin/test -w /var/lib/command-not-found/ -a -e /usr/lib/cnf-update-db; then /usr/lib/cnf-update-db > /dev/null; fi"; APT::Update::Post-Invoke-Success:: "/usr/lib/update-notifier/update-motd-updates-available 2>/dev/null || true"; APT::Update::Post-Invoke-Stats ""; APT::Update::Post-Invoke-Stats:: "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook post-invoke-stats || true"; APT::Install ""; APT::Install::Post-Invoke-Success ""; APT::Install::Post-Invoke-Success:: "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook post-invoke-success || true"; APT::Install::Pre-Invoke ""; APT::Install::Pre-Invoke:: "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke || true"; APT::Archives ""; APT::Archives::MaxAge "30"; APT::Archives::MinAge "2"; APT::Archives::MaxSize "500"; APT::Architectures ""; APT::Architectures:: "amd64"; APT::Architectures:: "i386"; APT::Compressor ""; APT::Compressor::. ""; APT::Compressor::.::Name "."; APT::Compressor::.::Extension ""; APT::Compressor::.::Binary ""; APT::Compressor::.::Cost "0"; APT::Compressor::zstd ""; APT::Compressor::zstd::Name "zstd"; APT::Compressor::zstd::Extension ".zst"; APT::Compressor::zstd::Binary "false"; APT::Compressor::zstd::Cost "60"; APT::Compressor::lz4 ""; APT::Compressor::lz4::Name "lz4"; APT::Compressor::lz4::Extension ".lz4"; APT::Compressor::lz4::Binary "lz4"; APT::Compressor::lz4::Cost "50"; APT::Compressor::lz4::CompressArg ""; APT::Compressor::lz4::CompressArg:: "-1"; APT::Compressor::lz4::UncompressArg ""; APT::Compressor::lz4::UncompressArg:: "-d"; APT::Compressor::gzip ""; APT::Compressor::gzip::Name "gzip"; APT::Compressor::gzip::Extension ".gz"; APT::Compressor::gzip::Binary "gzip"; APT::Compressor::gzip::Cost "100"; APT::Compressor::gzip::CompressArg ""; APT::Compressor::gzip::CompressArg:: "-6n"; APT::Compressor::gzip::UncompressArg ""; APT::Compressor::gzip::UncompressArg:: "-d"; APT::Compressor::xz ""; APT::Compressor::xz::Name "xz"; APT::Compressor::xz::Extension ".xz"; APT::Compressor::xz::Binary "xz"; APT::Compressor::xz::Cost "200"; APT::Compressor::xz::CompressArg ""; APT::Compressor::xz::CompressArg:: "-6"; APT::Compressor::xz::UncompressArg ""; APT::Compressor::xz::UncompressArg:: "-d"; APT::Compressor::bzip2 ""; APT::Compressor::bzip2::Name "bzip2"; APT::Compressor::bzip2::Extension ".bz2"; APT::Compressor::bzip2::Binary "bzip2"; APT::Compressor::bzip2::Cost "300"; APT::Compressor::bzip2::CompressArg ""; APT::Compressor::bzip2::CompressArg:: "-6"; APT::Compressor::bzip2::UncompressArg ""; APT::Compressor::bzip2::UncompressArg:: "-d"; APT::Compressor::lzma ""; APT::Compressor::lzma::Name "lzma"; APT::Compressor::lzma::Extension ".lzma"; APT::Compressor::lzma::Binary "xz"; APT::Compressor::lzma::Cost "400"; APT::Compressor::lzma::CompressArg ""; APT::Compressor::lzma::CompressArg:: "--format=lzma"; APT::Compressor::lzma::CompressArg:: "-6"; APT::Compressor::lzma::UncompressArg ""; APT::Compressor::lzma::UncompressArg:: "--format=lzma"; APT::Compressor::lzma::UncompressArg:: "-d"; Dir "/"; Dir::State "var/lib/apt"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::extended_states "extended_states"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::netrc "auth.conf"; Dir::Etc::netrcparts "auth.conf.d"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Etc::preferencesparts "preferences.d"; Dir::Etc::trusted "trusted.gpg"; Dir::Etc::trustedparts "trusted.gpg.d"; Dir::Etc::apt-file-main "apt-file.conf"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::solvers ""; Dir::Bin::solvers:: "/usr/lib/apt/solvers"; Dir::Bin::planners ""; Dir::Bin::planners:: "/usr/lib/apt/planners"; Dir::Bin::dpkg "/usr/bin/dpkg"; Dir::Bin::gzip "/bin/gzip"; Dir::Bin::bzip2 "/bin/bzip2"; Dir::Bin::xz "/usr/bin/xz"; Dir::Bin::lz4 "/usr/bin/lz4"; Dir::Bin::zstd "/usr/bin/zstd"; Dir::Bin::lzma "/usr/bin/xz"; Dir::Media ""; Dir::Media::MountPath "/media/apt"; Dir::Log "var/log/apt"; Dir::Log::Terminal "term.log"; Dir::Log::History "history.log"; Dir::Log::Planner "eipp.log.xz"; Dir::Ignore-Files-Silently ""; Dir::Ignore-Files-Silently:: "~$"; Dir::Ignore-Files-Silently:: "\.disabled$"; Dir::Ignore-Files-Silently:: "\.bak$"; Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$"; Dir::Ignore-Files-Silently:: "\.ucf-[a-z]+$"; Dir::Ignore-Files-Silently:: "\.save$"; Dir::Ignore-Files-Silently:: "\.orig$"; Dir::Ignore-Files-Silently:: "\.distUpgrade$"; Acquire ""; Acquire::AllowInsecureRepositories "0"; Acquire::AllowWeakRepositories "0"; Acquire::AllowDowngradeToInsecureRepositories "0"; Acquire::cdrom ""; Acquire::cdrom::mount "/media/cdrom/"; Acquire::IndexTargets ""; Acquire::IndexTargets::deb ""; Acquire::IndexTargets::deb::Packages ""; Acquire::IndexTargets::deb::Packages::MetaKey "$(COMPONENT)/binary-$(ARCHITECTURE)/Packages"; Acquire::IndexTargets::deb::Packages::flatMetaKey "Packages"; Acquire::IndexTargets::deb::Packages::ShortDescription "Packages"; Acquire::IndexTargets::deb::Packages::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Packages"; Acquire::IndexTargets::deb::Packages::flatDescription "$(RELEASE) Packages"; Acquire::IndexTargets::deb::Packages::Optional "0"; Acquire::IndexTargets::deb::Translations ""; Acquire::IndexTargets::deb::Translations::MetaKey "$(COMPONENT)/i18n/Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::flatMetaKey "$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::ShortDescription "Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::Description "$(RELEASE)/$(COMPONENT) Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::flatDescription "$(RELEASE) Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::DEP-11 ""; Acquire::IndexTargets::deb::DEP-11::MetaKey "$(COMPONENT)/dep11/Components-$(NATIVE_ARCHITECTURE).yml"; Acquire::IndexTargets::deb::DEP-11::ShortDescription "Components-$(NATIVE_ARCHITECTURE)"; Acquire::IndexTargets::deb::DEP-11::Description "$(RELEASE)/$(COMPONENT) $(NATIVE_ARCHITECTURE) DEP-11 Metadata"; Acquire::IndexTargets::deb::DEP-11::KeepCompressed "true"; Acquire::IndexTargets::deb::DEP-11::KeepCompressedAs "gz"; Acquire::IndexTargets::deb::DEP-11-icons-small ""; Acquire::IndexTargets::deb::DEP-11-icons-small::MetaKey "$(COMPONENT)/dep11/icons-48x48.tar"; Acquire::IndexTargets::deb::DEP-11-icons-small::ShortDescription "icons-48x48"; Acquire::IndexTargets::deb::DEP-11-icons-small::Description "$(RELEASE)/$(COMPONENT) DEP-11 48x48 Icons"; Acquire::IndexTargets::deb::DEP-11-icons-small::KeepCompressed "true"; Acquire::IndexTargets::deb::DEP-11-icons-small::KeepCompressedAs "gz"; Acquire::IndexTargets::deb::DEP-11-icons-small::DefaultEnabled "true"; Acquire::IndexTargets::deb::DEP-11-icons ""; Acquire::IndexTargets::deb::DEP-11-icons::MetaKey "$(COMPONENT)/dep11/icons-64x64.tar"; Acquire::IndexTargets::deb::DEP-11-icons::ShortDescription "icons-64x64"; Acquire::IndexTargets::deb::DEP-11-icons::Description "$(RELEASE)/$(COMPONENT) DEP-11 64x64 Icons"; Acquire::IndexTargets::deb::DEP-11-icons::KeepCompressed "true"; Acquire::IndexTargets::deb::DEP-11-icons::KeepCompressedAs "gz"; Acquire::IndexTargets::deb::DEP-11-icons::DefaultEnabled "true"; Acquire::IndexTargets::deb::DEP-11-icons-hidpi ""; Acquire::IndexTargets::deb::DEP-11-icons-hidpi::MetaKey "$(COMPONENT)/dep11/icons-64x64@2.tar"; Acquire::IndexTargets::deb::DEP-11-icons-hidpi::ShortDescription "icons-64x64@2"; Acquire::IndexTargets::deb::DEP-11-icons-hidpi::Description "$(RELEASE)/$(COMPONENT) DEP-11 64x64@2 Icons"; Acquire::IndexTargets::deb::DEP-11-icons-hidpi::KeepCompressed "true"; Acquire::IndexTargets::deb::DEP-11-icons-hidpi::KeepCompressedAs "gz"; Acquire::IndexTargets::deb::DEP-11-icons-hidpi::DefaultEnabled "true"; Acquire::IndexTargets::deb::DEP-11-icons-large ""; Acquire::IndexTargets::deb::DEP-11-icons-large::MetaKey "$(COMPONENT)/dep11/icons-128x128.tar"; Acquire::IndexTargets::deb::DEP-11-icons-large::ShortDescription "icons-128x128"; Acquire::IndexTargets::deb::DEP-11-icons-large::Description "$(RELEASE)/$(COMPONENT) DEP-11 128x128 Icons"; Acquire::IndexTargets::deb::DEP-11-icons-large::KeepCompressed "true"; Acquire::IndexTargets::deb::DEP-11-icons-large::KeepCompressedAs "gz"; Acquire::IndexTargets::deb::DEP-11-icons-large::DefaultEnabled "false"; Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi ""; Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi::MetaKey "$(COMPONENT)/dep11/icons-128x128@2.tar"; Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi::ShortDescription "icons-128x128@2"; Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi::Description "$(RELEASE)/$(COMPONENT) DEP-11 128x128@2 Icons"; Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi::KeepCompressed "true"; Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi::KeepCompressedAs "gz"; Acquire::IndexTargets::deb::DEP-11-icons-large-hidpi::DefaultEnabled "false"; Acquire::IndexTargets::deb::Contents-deb ""; Acquire::IndexTargets::deb::Contents-deb::MetaKey "$(COMPONENT)/Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb::ShortDescription "Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Contents (deb)"; Acquire::IndexTargets::deb::Contents-deb::flatMetaKey "Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb::flatDescription "$(RELEASE) Contents (deb)"; Acquire::IndexTargets::deb::Contents-deb::PDiffs "true"; Acquire::IndexTargets::deb::Contents-deb::KeepCompressed "true"; Acquire::IndexTargets::deb::Contents-udeb ""; Acquire::IndexTargets::deb::Contents-udeb::MetaKey "$(COMPONENT)/Contents-udeb-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-udeb::ShortDescription "Contents-udeb-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-udeb::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Contents (udeb)"; Acquire::IndexTargets::deb::Contents-udeb::flatMetaKey "Contents-udeb-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-udeb::flatDescription "$(RELEASE) Contents (udeb)"; Acquire::IndexTargets::deb::Contents-udeb::KeepCompressed "true"; Acquire::IndexTargets::deb::Contents-udeb::PDiffs "true"; Acquire::IndexTargets::deb::Contents-udeb::DefaultEnabled "false"; Acquire::IndexTargets::deb::Contents-deb-legacy ""; Acquire::IndexTargets::deb::Contents-deb-legacy::MetaKey "Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb-legacy::ShortDescription "Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb-legacy::Description "$(RELEASE) $(ARCHITECTURE) Contents (deb)"; Acquire::IndexTargets::deb::Contents-deb-legacy::PDiffs "true"; Acquire::IndexTargets::deb::Contents-deb-legacy::KeepCompressed "true"; Acquire::IndexTargets::deb::Contents-deb-legacy::Fallback-Of "Contents-deb"; Acquire::IndexTargets::deb::Contents-deb-legacy::Identifier "Contents-deb"; Acquire::IndexTargets::deb::CNF ""; Acquire::IndexTargets::deb::CNF::MetaKey "$(COMPONENT)/cnf/Commands-$(NATIVE_ARCHITECTURE)"; Acquire::IndexTargets::deb::CNF::ShortDescription "Commands-$(NATIVE_ARCHITECTURE)"; Acquire::IndexTargets::deb::CNF::Description "$(RELEASE)/$(COMPONENT) $(NATIVE_ARCHITECTURE) c-n-f Metadata"; Acquire::IndexTargets::deb-src ""; Acquire::IndexTargets::deb-src::Sources ""; Acquire::IndexTargets::deb-src::Sources::MetaKey "$(COMPONENT)/source/Sources"; Acquire::IndexTargets::deb-src::Sources::flatMetaKey "Sources"; Acquire::IndexTargets::deb-src::Sources::ShortDescription "Sources"; Acquire::IndexTargets::deb-src::Sources::Description "$(RELEASE)/$(COMPONENT) Sources"; Acquire::IndexTargets::deb-src::Sources::flatDescription "$(RELEASE) Sources"; Acquire::IndexTargets::deb-src::Sources::Optional "0"; Acquire::IndexTargets::deb-src::Contents-dsc ""; Acquire::IndexTargets::deb-src::Contents-dsc::MetaKey "$(COMPONENT)/Contents-source"; Acquire::IndexTargets::deb-src::Contents-dsc::ShortDescription "Contents-source"; Acquire::IndexTargets::deb-src::Contents-dsc::Description "$(RELEASE)/$(COMPONENT) source Contents (dsc)"; Acquire::IndexTargets::deb-src::Contents-dsc::flatMetaKey "Contents-source"; Acquire::IndexTargets::deb-src::Contents-dsc::flatDescription "$(RELEASE) Contents (dsc)"; Acquire::IndexTargets::deb-src::Contents-dsc::PDiffs "true"; Acquire::IndexTargets::deb-src::Contents-dsc::KeepCompressed "true"; Acquire::IndexTargets::deb-src::Contents-dsc::DefaultEnabled "false"; Acquire::Changelogs ""; Acquire::Changelogs::URI ""; Acquire::Changelogs::URI::Origin ""; Acquire::Changelogs::URI::Origin::Debian "https://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog"; Acquire::Changelogs::URI::Origin::Ubuntu "https://changelogs.ubuntu.com/changelogs/pool/@CHANGEPATH@/changelog"; Acquire::Changelogs::AlwaysOnline "true"; Acquire::Changelogs::AlwaysOnline::Origin ""; Acquire::Changelogs::AlwaysOnline::Origin::Ubuntu "1"; Acquire::http ""; Acquire::http::User-Agent-Non-Interactive "true"; Acquire::Languages ""; Acquire::Languages:: "en"; Acquire::Languages:: "none"; Acquire::CompressionTypes ""; Acquire::CompressionTypes::xz "xz"; Acquire::CompressionTypes::bz2 "bzip2"; Acquire::CompressionTypes::lzma "lzma"; Acquire::CompressionTypes::gz "gzip"; Acquire::CompressionTypes::lz4 "lz4"; Acquire::CompressionTypes::zst "zstd"; DPkg ""; DPkg::Path "/usr/sbin:/usr/bin:/sbin:/bin"; DPkg::Post-Invoke ""; DPkg::Post-Invoke:: "/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && /usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo > /dev/null"; DPkg::Post-Invoke:: "if [ -d /var/lib/update-notifier ]; then touch /var/lib/update-notifier/dpkg-run-stamp; fi; /usr/lib/update-notifier/update-motd-updates-available 2>/dev/null || true"; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; Aptitude ""; Aptitude::Get-Root-Command "sudo:/usr/bin/sudo"; AptCli ""; AptCli::Hooks ""; AptCli::Hooks::Upgrade ""; AptCli::Hooks::Upgrade:: "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-json-hook ] || /usr/lib/ubuntu-advantage/apt-esm-json-hook || true"; AptCli::Hooks::Install ""; AptCli::Hooks::Install:: "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"; apt-file ""; apt-file::Index-Names "deb"; apt-file::Parser ""; apt-file::Parser::Check-For-Description-Header "false"; Unattended-Upgrade ""; Unattended-Upgrade::Allowed-Origins ""; Unattended-Upgrade::Allowed-Origins:: "${distro_id}:${distro_codename}"; Unattended-Upgrade::Allowed-Origins:: "${distro_id}:${distro_codename}-security"; Unattended-Upgrade::Allowed-Origins:: "${distro_id}ESMApps:${distro_codename}-apps-security"; Unattended-Upgrade::Allowed-Origins:: "${distro_id}ESM:${distro_codename}-infra-security"; Unattended-Upgrade::DevRelease "auto"; Binary "apt-config"; Binary::apt ""; Binary::apt::APT ""; Binary::apt::APT::Color "1"; Binary::apt::APT::Cache ""; Binary::apt::APT::Cache::Show ""; Binary::apt::APT::Cache::Show::Version "2"; Binary::apt::APT::Cache::AllVersions "0"; Binary::apt::APT::Cache::ShowVirtuals "1"; Binary::apt::APT::Cache::Search ""; Binary::apt::APT::Cache::Search::Version "2"; Binary::apt::APT::Cache::ShowDependencyType "1"; Binary::apt::APT::Cache::ShowVersion "1"; Binary::apt::APT::Get ""; Binary::apt::APT::Get::Upgrade-Allow-New "1"; Binary::apt::APT::Get::Update ""; Binary::apt::APT::Get::Update::InteractiveReleaseInfoChanges "1"; Binary::apt::APT::Cmd ""; Binary::apt::APT::Cmd::Show-Update-Stats "1"; Binary::apt::APT::Cmd::Pattern-Only "1"; Binary::apt::APT::Keep-Downloaded-Packages "0"; Binary::apt::DPkg ""; Binary::apt::DPkg::Progress-Fancy "1"; Binary::apt::DPkg::Lock ""; Binary::apt::DPkg::Lock::Timeout "-1"; CommandLine ""; CommandLine::AsString "apt-config dump"; -- (no /etc/apt/preferences present) -- -- (no /etc/apt/preferences.d/* present) -- -- /etc/apt/sources.list -- # deb cdrom:[Ubuntu 20.04.3 LTS _Focal Fossa_ - Release amd64 (20210819)]/ focal main restricted # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # newer versions of the distribution. deb http://fr.archive.ubuntu.com/ubuntu/ focal main restricted # deb-src http://fr.archive.ubuntu.com/ubuntu/ focal main restricted # # Major bug fix updates produced after the final release of the # # distribution. deb http://fr.archive.ubuntu.com/ubuntu/ focal-updates main restricted # deb-src http://fr.archive.ubuntu.com/ubuntu/ focal-updates main restricted # # N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu # # team. Also, please note that software in universe WILL NOT receive any # # review or updates from the Ubuntu security team. deb http://fr.archive.ubuntu.com/ubuntu/ focal universe # deb-src http://fr.archive.ubuntu.com/ubuntu/ focal universe deb http://fr.archive.ubuntu.com/ubuntu/ focal-updates universe # deb-src http://fr.archive.ubuntu.com/ubuntu/ focal-updates universe # # N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu # # team, and may not be under a free licence. Please satisfy yourself as to # # your rights to use the software. Also, please note that software in # # multiverse WILL NOT receive any review or updates from the Ubuntu # # security team. deb http://fr.archive.ubuntu.com/ubuntu/ focal multiverse # deb-src http://fr.archive.ubuntu.com/ubuntu/ focal multiverse deb http://fr.archive.ubuntu.com/ubuntu/ focal-updates multiverse # deb-src http://fr.archive.ubuntu.com/ubuntu/ focal-updates multiverse # # N.B. software from this repository may not have been tested as # # extensively as that contained in the main release, although it includes # # newer versions of some applications which may provide useful features. # # Also, please note that software in backports WILL NOT receive any review # # or updates from the Ubuntu security team. deb http://fr.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse # deb-src http://fr.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse # # Uncomment the following two lines to add software from Canonical's # # 'partner' repository. # # This software is not part of Ubuntu, but is offered by Canonical and the # # respective vendors as a service to Ubuntu users. # deb http://archive.canonical.com/ubuntu focal partner # deb-src http://archive.canonical.com/ubuntu focal partner deb http://security.ubuntu.com/ubuntu focal-security main restricted # deb-src http://security.ubuntu.com/ubuntu focal-security main restricted deb http://security.ubuntu.com/ubuntu focal-security universe # deb-src http://security.ubuntu.com/ubuntu focal-security universe deb http://security.ubuntu.com/ubuntu focal-security multiverse # deb-src http://security.ubuntu.com/ubuntu focal-security multiverse # This system was installed using small removable media # (e.g. netinst, live or single CD). The matching "deb cdrom" # entries were disabled at the end of the installation process. # For information about how to configure apt package sources, # see the sources.list(5) manual. -- (/etc/apt/sources.list.d/docker.list present, but not submitted) -- -- (/etc/apt/sources.list.d/google-chrome.list present, but not submitted) -- -- (/etc/apt/sources.list.d/hashicorp.list present, but not submitted) -- -- (/etc/apt/sources.list.d/pgadmin4.list present, but not submitted) -- -- (/etc/apt/sources.list.d/slack.list present, but not submitted) -- -- (/etc/apt/sources.list.d/yandex-beta.list present, but not submitted) -- -- System Information: Debian Release: bullseye/sid APT prefers focal-updates APT policy: (500, 'focal-updates'), (500, 'focal-security'), (500, 'focal'), (100, 'focal-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.0-52-generic (SMP w/8 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apt depends on: ii adduser 3.118ubuntu2 ii gpgv 2.2.19-3ubuntu2.2 ii libapt-pkg6.0 2.0.9 ii libc6 2.31-0ubuntu9.9 ii libgcc-s1 10.3.0-1ubuntu1~20.04 ii libgnutls30 3.6.13-2ubuntu1.7 ii libseccomp2 2.5.1-1ubuntu1~20.04.2 ii libstdc++6 10.3.0-1ubuntu1~20.04 ii libsystemd0 245.4-4ubuntu3.18 ii ubuntu-keyring 2020.02.11.4 Versions of packages apt recommends: ii ca-certificates 20211016~20.04.1 Versions of packages apt suggests: pn apt-doc <none> pn aptitude | synaptic | wajig <none> ii dpkg-dev 1.19.7ubuntu3.2 ii gnupg 2.2.19-3ubuntu2.2 ii powermgmt-base 1.36 -- no debconf information
--- End Message ---
--- Begin Message ---
- To: Alexey Salmin <alexey.salmin+debianbugs@gmail.com>, 1024260-done@bugs.debian.org
- Subject: Re: Bug#1024260: apt: An easy way to install only security updates
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Wed, 16 Nov 2022 18:47:50 +0100
- Message-id: <20221116174750.uwyvt2aealjrro5u@crossbow>
- In-reply-to: <[🔎] 166861446697.675077.15966905637545760401.reportbug@salmin-dell>
- References: <[🔎] 166861446697.675077.15966905637545760401.reportbug@salmin-dell>
On Wed, Nov 16, 2022 at 05:01:06PM +0100, Alexey Salmin wrote: > I see two way how this could be done in a general non-hacky way: > 1) Support "Suite" filter as a command-line option in apt-get. That is technically already available via --target-release (-t) assuming the repository providing these critical updates (whatever that is) uses a different suite name than the others AND your pinning is setup up accordingly. Both is not in the hands of apt. > 2) Provide a separate sources-security.list into the default install, > then users can pick it with the '-o Dir::Etc::SourceList' option. That would also be a request for whatever configures apt (like the installer or … your image builder?) as apt comes with no sources by default. Different distros will have different repositories, names, setups and customs so apt couldn't even if we tried. > I'm not sure about the option (1), but option (2) looks very simple and > nevertheless would greatly improve the availability of security updates. > > [1] https://serverfault.com/questions/270260/how-do-you-use-apt-get-to-only-install-critical-security-updates-on-ubuntu > [2] https://askubuntu.com/questions/194/how-can-i-install-just-security-updates-from-the-command-line I don't think so. You are talking only about Ubuntu and I don't know that distro much, but I presume they aren't super-different to Debian, where on stable (whatever letter in Ubuntu is current, in Debian that would be bullseye at the moment) every update you get is an important upgrade you should apply, regardless of it coming via bullseye, bullseye-updates or bullseye-security… (that is, upgrades tend to flow from the later to the earlier so if you don't upgrade for months, all the security upgrades will seem to come from bullseye directly). Okay, sometimes packages need to be updated to fix non-security problems, like the $videoplatform-downloader adapting to changed APIs, but that might very well be just (or even more) critical a problem than all security upgrades combined depending on your specific system & use cases. stable doesn't get upgrades just for the fun of it. That's the whole point and why its called "stable". If we aren't talking stable system, but testing or even unstable it would be interesting to only install security upgrades, but those do not really exist (as usually a new upstream rather than a backport is brought in to fix a problem and is hence indistinguishable usually from an upgrade not fixing anything) and tend to depend on other "unimportant" updates, too – like a browser fixing 10 CVEs in its newest upstream release build against the newest libc not fixing any (known) bugs, which also pulls in … aka: partial upgrade problem. Usually not worth the hassle. Okay, there is of course one big elephant in the room here: What about the repositories not providing sensible security upgrades like the hodgepodge of third-party/PPAs/you-name-it you might have also in your sources… well, that remains a configuration issue as apt has no idea what idea of security support a given repository has – I presume at times, not even the maintainer of some of them knows. That is why configuring unattended-upgrades can be a challenge. That is more than you ask here through, you aim for attended-upgrades… So, yeah, I don't see any possible angle for us as APT maintainers to do here anything, so I am closing as not-a-bug (for us). It might very well be a bug for things working with apt though, but not very useful to keep it unactionable here. Best regards David Kalnischkies P.S.: Isn't it like the whole point of Docker and Co that you have an automatic way of rebuilding images all the time to incorporate upgrades? What's the point if nobody uses that…Attachment: signature.asc
Description: PGP signature
--- End Message ---