Bug#1112193: marked as done (Apt manual install overridden during remove)
Your message dated Wed, 27 Aug 2025 13:04:08 +0200
with message-id <20250827130153.GA62098@debian.org>
and subject line Re: Bug#1112193: Apt manual install overridden during remove
has caused the Debian Bug report #1112193,
regarding Apt manual install overridden during remove
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1112193: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112193
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apt
Version: 2.6.1
Severity: important
X-Debbugs-Cc: cmahnke@gmail.com
Dear Maintainer,
there is a critical error in `apt`: It's possible that packages markt as
`manual` get removed during uninstall of other packages.
To repoduce:
```
docker run -it debian:bookworm
apt-get update
apt-get install podman
apt-get install -y reprepro dpkg-dev tree gpg
apt-get remove -y reprepro dpkg-dev tree gpg
```
BTW, even if the cause is wrong metadata for one of the packages above
this is a bug in the package manager, since metadata should not be able
to override any user requests, this is a potential denial of service
attack vector.
-- System Information:
Debian Release: 12.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'),
(500, 'oldstable')
Architecture: arm64 (aarch64)
Kernel: Linux 6.6.96-0-virt (SMP w/6 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages apt depends on:
ii adduser 3.134
ii debian-archive-keyring 2023.3+deb12u2
ii gpgv 2.2.40-1.1
ii libapt-pkg6.0 2.6.1
ii libc6 2.36-9+deb12u10
ii libgcc-s1 12.2.0-14+deb12u1
ii libgnutls30 3.7.9-2+deb12u5
ii libseccomp2 2.5.4-1+deb12u1
ii libstdc++6 12.2.0-14+deb12u1
ii libsystemd0 252.38-1~deb12u1
Versions of packages apt recommends:
ii ca-certificates 20230311+deb12u1
Versions of packages apt suggests:
pn apt-doc <none>
pn aptitude | synaptic | wajig <none>
pn dpkg-dev <none>
pn gnupg | gnupg2 | gnupg1 <none>
pn powermgmt-base <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
On Wed, Aug 27, 2025 at 12:50:32PM +0200, Christian Mahnke wrote:
> Package: apt
> Version: 2.6.1
> Severity: important
> X-Debbugs-Cc: cmahnke@gmail.com
>
> Dear Maintainer,
>
> there is a critical error in `apt`: It's possible that packages markt as
> `manual` get removed during uninstall of other packages.
>
>
> To repoduce:
>
> ```
>
> docker run -it debian:bookworm
>
> apt-get update
>
> apt-get install podman
>
> apt-get install -y reprepro dpkg-dev tree gpg
>
> apt-get remove -y reprepro dpkg-dev tree gpg
>
> ```
>
> BTW, even if the cause is wrong metadata for one of the packages above this
> is a bug in the package manager, since metadata should not be able to
> override any user requests, this is a potential denial of service attack
> vector.
>
This is the expected behavior and not a bug.
The new solver has flipped the behavior right now but that might not
survive general release. But particularly it only flips the default
for apt(8), not apt-get(8) - apt-get(8) is a mostly-bug-compatible
retro computing frontend after all - it does not get behavior changes
that can be avoided.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
--- End Message ---
Reply to: