Hi debian-security,

I've just noticed something rather distressing. As part of my usual Debian installation I set `APT::Default-Release "stable";` which causes a change
of apt priorities for packages from this release (or so I thought) from the usual 500 to 990. This is recommended in various places, but I don't recall
if d-i sets this up by default or not.

It seems packages from the debian-security repository are not affected by
this increased priority and will not get intalled as a result. Note:
`apt-cache policy` tends to lie. I observed this by actually trying to
install a kernel update from d-security that should get installed but
doesn't.

As soon as I remove the Default-Release line from apt.conf the update gets offered for installation. Has anyone else observed this or is something
broken in my apt config somewhere?

--Daniel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 2023-07-20 at 22:12 +0200, Daniel Gröber wrote:

It seems packages from the debian-security repository are not affected by this increased priority and will not get intalled as a result.

This was documented in the release notes for Debian bullseye:

https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive

I have updated a few wiki pages that mention APT::Default-Release too.

https://wiki.debian.org/DebianUnstable?action=diff&rev1=144&rev2=145 https://wiki.debian.org/DebianEdu/Status/Bullseye?action=diff&rev1=107&rev2=108 https://wiki.debian.org/Wajig?action=diff&rev1=20&rev2=21 https://wiki.debian.org/FunambolInstallation?action=diff&rev1=9&rev2=10

If there is other documentation of APT::Default-Release that should get updated, please let us know so that we can fix it.

--
bye,
pabs

https://wiki.debian.org/PaulWise

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAmS56rgACgkQMRa6Xp/6 aaNW8Q//fG4mpe3pkZF0Q5suOozYQqD3SXur5XpVEg8PSmDMr+1efT9kMpIBQuIx PZRtUVW2tSkslyGgY7fooarKC2SEaUr6edAYpzIKHWIuT4tBtld/iLt3OU8JpvC3 oLYOh++LJ6Elwxth2VAndQouwoQ8MAldw6AQHsjmIKYwORt3v0X8Y8rkwOKVnKpc dyZGvnVK08mnVAdjDWcc3+Jsi1Cr6tlG2q34AqWRKnIDcZfzRESFs3qDkgA0+7UK R+uYXGi9EtwW7epcSjoKdKfMU+9L2+tgEW5U95/qZKr+/Z1i8+n4TAFS51Agv4pZ 49uVGWaSIzl/oRTH7ISbYZa7Q048s88MM0M/VZQK643RK+TW6FacTEKy8XWTC9TL 82dBhpBYjGE/n1XzNg1D8l15IXCi9aZgMCrvifuFZc6E4pRcMKx/MTblt+i8TZCI h+T1DQdBqMSZHqzwbyLwaCYc9NQbz13lASNJWSFnf9MJz50CkeMvpxk5NeweZhqm 08wlXmZfieeXJBgZ0MEjbBgVEJYjN9wIXgSynhVmCqLqTqsZibIQMEpvrpQkjWXb iNqhIxj5vXIzcsN55+BUY12YY7n2ORjCLEENxL8qfu+/VFCC3vTNjaEMy050kPv4 ZrFVl4X6R6C20/27s1keT+KzI7mSM77Nh2Xbdfu88KywWLMQvvI=
=132Y
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Paul,

On Fri, Jul 21, 2023 at 10:17:28AM +0800, Paul Wise wrote:

On Thu, 2023-07-20 at 22:12 +0200, Daniel Gröber wrote:

It seems packages from the debian-security repository are not affected by this increased priority and will not get intalled as a result.

This was documented in the release notes for Debian bullseye:

https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive

Now that you mention it I remember reading this and getting quite
irritated. Probably why I forgot about it.

Do you have any references on how this decision came to be?

I have updated a few wiki pages that mention APT::Default-Release too.

https://wiki.debian.org/DebianUnstable?action=diff&rev1=144&rev2=145 https://wiki.debian.org/DebianEdu/Status/Bullseye?action=diff&rev1=107&rev2=108
https://wiki.debian.org/Wajig?action=diff&rev1=20&rev2=21 https://wiki.debian.org/FunambolInstallation?action=diff&rev1=9&rev2=10

If there is other documentation of APT::Default-Release that should get updated, please let us know so that we can fix it.

One mention I found is in Raphaël and Roland's DAH (now in CC): https://debian-handbook.info/browse/stable/sect.apt-get.html#sect.apt-upgrade

The places I'm most concerned about, people's brains and random web sites, aren't so easily fixed unfortunately. Advice to set this is splattered all
over the web, I really don't understand why we made a change so seemingly
ill advised as this?

A web search for "Debian Default-Release security" didn't reveal anything talking about this problem, especially not our release notes, so I think
this change didn't get the publicity it deserves at the very least.

What I don't understand is why the security repo codename wasn't changed to $codename/security? Wouldn't that be handled correctly by APT? Unless the /update string in particular had special handling?

Thanks,
--Daniel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 2023-07-21 at 11:04 +0200, Daniel Gröber wrote:

Do you have any references on how this decision came to be?

I think it was about making the suite naming more intuitive, consistent
with other suites and possibly also some dak implementation concerns.

One mention I found is in Raphaël and Roland's DAH (now in CC): https://debian-handbook.info/browse/stable/sect.apt-get.html#sect.apt-upgrade

Probably better to file a bug about this, so it is tracked.

The places I'm most concerned about, people's brains and random web sites, aren't so easily fixed unfortunately. Advice to set this is splattered all over the web, I really don't understand why we made a change so seemingly
ill advised as this?

A web search for "Debian Default-Release security" didn't reveal anything talking about this problem, especially not our release notes, so I think
this change didn't get the publicity it deserves at the very least.

What I don't understand is why the security repo codename wasn't changed to $codename/security? Wouldn't that be handled correctly by APT? Unless the /update string in particular had special handling?

You will have to ask the apt developers and archive admins about this,
but at the end of the day reverting it is unlikely to happen, so
probably it is something everyone will just have to learn to live with.

--
bye,
pabs

https://wiki.debian.org/PaulWise

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAmS7i44ACgkQMRa6Xp/6 aaPz2RAAqfSMs2H8xqPVY1uaO/6clv/INVyLAUxdL25ywLgT3tWcuMUjr8NVjgWV Vbb0poDvm05oS66r67SjTh/zl5Gy8z+GDnEwqVL4Cj2YwZX/h8iBmPvNgFO50h9C bx6HtAMATpS4wEAkG5XGwU/3pKQ+mcD47AJevDp0MZEoO06wpQqGA1cgQz/i+15r ufUR5iwRDLLpexTGlMIMO/EPMHXRSfd93BG2rnG7rmnW6kUK9n3pBLhSQCaMR4k2 L9/UiJ21Eb2zfSzVPT9IvSN1aI8aHS0Ra1xsJooZ4iCl6LzGwciQi5jxaL2R+kP3 W+WjmOkTidbxAVTJCrlSNkuOMiycRO0+A4Grfgz5oYtxB0IUuEpgUoq6VrordJ28 0UAViymQ5AqmtBq6hRcj7gXlJSLbIYNaGPCyU+GtO7Bc5ASzEm4MsHS89ayyj8sl a0hhNSaJEtMMYuA/075ygNoaFijglv1SOlyd3y9K6D1hyxCOE6VD+Ma69Ap5Kkzg 0JcKUtdLwANaV9CAnav2h9in8fHwkqDOUUsSGod14c/u/b4m9cmSbTmvspbhr2cX Yfl6mj6OYqPcSxBTVgp6sQOTveN90k3gJtyrn4+cmzbdB5FAzb7gb3S69rR3RMDH BZrQt28A+Oou8/tvHHLmqceiJCkwZbhGaE8M3B5STJJp+HVXKN4=
=h+4L
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Paul,

On Sat, Jul 22, 2023 at 03:56:02PM +0800, Paul Wise wrote:

One mention I found is in Raphaël and Roland's DAH (now in CC): https://debian-handbook.info/browse/stable/sect.apt-get.html#sect.apt-upgrade

Probably better to file a bug about this, so it is tracked.

Ah, I didn't realise debian-handbook has a package in the archive :)

Done, Bug#1041706: debian-handbook: Wrong advice on APT::Default-Release preventing security updates.

What I don't understand is why the security repo codename wasn't changed to $codename/security? Wouldn't that be handled correctly by APT? Unless the /update string in particular had special handling?

You will have to ask the apt developers and archive admins about this,
but at the end of the day reverting it is unlikely to happen, so
probably it is something everyone will just have to learn to live with.

I've had a quick look at the apt code now and indeed it seems to handle $codename/$whatever as equivalent to $codename, see metaIndex::CheckDist.

I don't see why we couldn't revert this change. Anybody who's applied the
hack from the bullseye release-notes will be unaffected as the regex will
still match a plain code/suite-name but people who never applied this
advice will get their security updates back.

I've sent a bug to apt as well, just about the doc references for now: Bug#1041708: apt: Manpages have wrong advice on APT::Default-Release
preventing security updates.

Who do I contact about the archive aspects? FTP-master or the
security-team? The security-team is in CC on the doc bugs so I'm hoping
they will see it anyway.

Thanks,
--Daniel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Jul 22, 2023 at 03:56:02PM +0800, Paul Wise wrote:

You will have to ask the apt developers and archive admins about this,
but at the end of the day reverting it is unlikely to happen, so
probably it is something everyone will just have to learn to live with.

What about to add a warning to apt if *-security or *-updates is
configured in the sources list and `APT::Default-Release` is set but
does not match the security or updates repo?

Best regards

Hannes

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 2023-07-22 at 17:45 +0200, Hannes von Haugwitz wrote:

What about to add a warning to apt if *-security or *-updates is
configured in the sources list and `APT::Default-Release` is set but
does not match the security or updates repo?

That seems like the right solution here, please file a bug on apt.

Please also check these packages and file bugs against any broken ones:

https://codesearch.debian.net/search?literal=1&q=APT%3A%3ADefault-Release

Some of these are probably best filed upstream instead of in Debian,
especially for issues in files not used by Debian like Dockerfiles.

--
bye,
pabs

https://wiki.debian.org/PaulWise

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAmS/SSwACgkQMRa6Xp/6 aaPSOA/+MyjR38iz4rcLtN83x6whXr42qKqb7CfW6LU0X3ayuB4i4O/jHYamzs/r +6cJxzke5oPyf3Ro/Ss4na4rJ9cCoqk3/y2vLm1nHQKeDffCPgJU4mLwvxnYI6A5 nWRqLzyK98i3ra7NxsxfLeycHDTu2cv/RNd5j9+L811VJjumlRTQfgEVkBsnccuh aF+DN9NcKjbJ3QsjI0YfiMgLjaAHmRpbmwplqfbwKxy4FIlxi1d+p/773gQgbKYn +emdrMVQhk1HD3qVXTrHqRinphoI4g9DrjwbFsj4zCICpPYZkJKk5MMntZKw0kde f/k5iQjNMsNT6UO+4R/EBRLrF7xpyL42VH6kQJh8He4XRFGs5lN08Z+JqhjqZ1dz ZEFpLH1NTNpGEt+e8deYKfN516SN/60cH4xxbfWP1WPW7ifU3DP7dEWtWJWPvYUM O4f6u4HD5Iy1cLELYcae2dma8W1EykrFkCB7MdXBjTkgEJUmkT45MsqZpkFLdsAc J2mmR/yR2uubKiKIZCkrOw03Uvt5621ip2YNL5TGyeHxRFAk1HU440tO4UezGMA5 ep/K0yHRCMhm3+aHVc2/vd5KJVz/4/n1JjwIjTxhtYMHGxpn9BCE18S5JY689p+h cu9APCXD1UUV57/t2NuRY3GUA0LJsysUftYQMoqZF3mVCCXF5mI=
=wEI3
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

On Fri, 21 Jul 2023, Daniel Gröber wrote:

One mention I found is in Raphaël and Roland's DAH (now in CC): https://debian-handbook.info/browse/stable/sect.apt-get.html#sect.apt-upgrade

I also saw your associated bug report. Thanks for highlighting this
issue to me. I updated https://salsa.debian.org/hertzog/debian-handbook/-/issues/58
to make sure that we take care of documenting this as part of the next
book update.

Cheers,
--
⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <hertzog@debian.org>
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/
⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)