[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1041708: apt: Manpages have wrong advice on APT::Default-Release preventing security updates

On Sat, Aug 19, 2023 at 06:14:54PM +0200, Daniel Gröber wrote:
> Hi,
> 
> On Sat, Aug 19, 2023 at 04:53:09PM +0200, Raphael Hertzog wrote:
> > > The problem is that regex is NOT supported at the moment.
> > 
> > Urgh, and you did not complain that the release notes actually encourage
> > users to do that?
> 
> Yeah, that seems less than ideal. Brings me back to thinking we should
> change the security codename to something that's not going to need these
> hacky regexes then.
> 
> Since $release/security is not well liked for unclear ("dak") reasons
> (please someone elaborate if possible), perhaps an approach based on
> Ubuntu's is less controvertial.
> 
> In debian-security/bookworm-security we have this right now
> 
>     Origin: Debian
>     Label: Debian-Security
>     Suite: stable-security
>     Version: 12
>     Codename: bookworm-security
> 
> and we need the regex becuase $codename/$suite doesn't match "bookworm",
> "bookworm/*" or stable, stable/* resp. Compare this to what Ubuntu uses:
> 
>     Origin: Ubuntu
>     Label: Ubuntu
>     Suite: kinetic-security
>     Version: 22.10
>     Codename: kinetic
> 
> Here APT::Default-Release "kinetic" would match just fine. Just seems they
> don't support the "stable" alias like we do. Could we use this to cover
> both use-cases:
> 
>     Origin: Debian
>     Label: Debian-Security
>     Suite: stable
>     Codename: bookworm
> 
> Now no weird hacks are neceessary APT::DefaultRelease "bookworm" or
> "stable" will match the security repos just fine.
> 
> Users that _really_ want to do weird things to the security repo can still
> use a "label" match in apt/preferences like `Pin: release
> l=Debian-Security`. I think you'd be able to combine this with a codename
> match to be specific about which release too: `Pin: release
> l=Debian-Security n=bookworm` but don't quote me on that until someone
> tests it.
> 
> I don't see any real downsides to this approach other than "ugh more
> change".


I think ultimately APT::Default-Release has been deprecated[1] in
a configuration files many many cycles ago, and the current
behavior is much more meaningful on the command-line, both
in cases of apt install foo -t bookworm and apt install foo/bookworm
to specifically say you want stuff in bookworm and not in updates
or security (that is, you may want to downgrade to the latest
point release or install from it and ignore a buggy security
update).

I have a very strong dislike for the Ubuntu behavior because
it completely breaks user expectations.

In conclusion, I think that while this is a regression for
a very small minority of people, the current status quo is
ultimately an improvement in behavior.

I am amenable to add a warning to apt in case APT::Default-Release
is set in apt.conf such that users get a hint their configuration
is wrong

[1] by way of being not set up anymore, nor recommended in release
    notes.
-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en
Reply to: