Bug#1041708: apt: Manpages have wrong advice on APT::Default-Release preventing security updates
Hi,
On Sat, Aug 19, 2023 at 04:53:09PM +0200, Raphael Hertzog wrote:
> > The problem is that regex is NOT supported at the moment.
>
> Urgh, and you did not complain that the release notes actually encourage
> users to do that?
Yeah, that seems less than ideal. Brings me back to thinking we should
change the security codename to something that's not going to need these
hacky regexes then.
Since $release/security is not well liked for unclear ("dak") reasons
(please someone elaborate if possible), perhaps an approach based on
Ubuntu's is less controvertial.
In debian-security/bookworm-security we have this right now
Origin: Debian
Label: Debian-Security
Suite: stable-security
Version: 12
Codename: bookworm-security
and we need the regex becuase $codename/$suite doesn't match "bookworm",
"bookworm/*" or stable, stable/* resp. Compare this to what Ubuntu uses:
Origin: Ubuntu
Label: Ubuntu
Suite: kinetic-security
Version: 22.10
Codename: kinetic
Here APT::Default-Release "kinetic" would match just fine. Just seems they
don't support the "stable" alias like we do. Could we use this to cover
both use-cases:
Origin: Debian
Label: Debian-Security
Suite: stable
Codename: bookworm
Now no weird hacks are neceessary APT::DefaultRelease "bookworm" or
"stable" will match the security repos just fine.
Users that _really_ want to do weird things to the security repo can still
use a "label" match in apt/preferences like `Pin: release
l=Debian-Security`. I think you'd be able to combine this with a codename
match to be specific about which release too: `Pin: release
l=Debian-Security n=bookworm` but don't quote me on that until someone
tests it.
I don't see any real downsides to this approach other than "ugh more
change".
--Daniel
Reply to: