apt documentation for APT::Default-Release is not clear regarding security updates

Bug #295448 reported by Yan Li on 2008-11-08
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Low
Unassigned

Bug Description

Binary package hint: apt

This is related to all versions before Hardy (include). I haven't tested this on Intrepid so I'm not sure about those versions after Hardy.

According to apt_preferences manpage, the target release can be set on the apt-get command line or in the APT configuration file /etc/apt/apt.conf, and "APT::Default-Release "stable";" is given out as an example. This is a very common and popular practice used in Debian community to set the default release and using apt-pin, but doing this in Ubuntu leads to serious security impact with no obvious warning.

After setting APT::Default-Release to "hardy", which is the "Suite" name for main hardy source, no security fixes nor updates would be installed unless their priorities are also set explicitly in apt_preferences. This is because that in Ubuntu's world, security fixes are from "hardy-security" source and other updates are from "hardy-updates" source, which bear different "Suite" from the main source. Setting APT::Default-Release rises the priority of packages from main source to 990, but doesn't cover packages from hardy-security and hardy-updates, so the latter are ignored since their packages now has lower priority (priority 500 only) than those old ones in main source (990).

I set APT::Default-Release to "hardy" on Sep this year until I found this problem today. Removed that setting and I'm surprised to found that I can install 46 security fixes and updates accumulated. Which is pretty sad to me that got known I haven't got security fixes for more than 2 months.

This is a radical deviation from the Debian practice. In Debian all security fixes and updates bear the same "Suite" (etch or lenny) so setting APT::Default-Release to "etch" covers all security fixes and updates.

I think it's unlikely that Ubuntu changes the organization of it's source, so at least a fix to this problem is patching the apt_preferences manpage, alerting people not to use APT::Default-Release like they have used this in Debian and the reason and the following impacts.

Version information of my apt from Hardy:
Architecture: i386
Version: 0.7.9ubuntu17.1

Thanks!

Alexandre Maciel (amaciel81) wrote :

Same here.

I have Kubuntu Hardy Heron, but I want to use the most recent version of KMyMoney. In Debian, I can do this just setting default version to Etch and pinning some packages from Lenny, but in Ubuntu, hardy, hardy-security, hardy-updates and hardy-backports are different distributions.

Thanks,
Alexandre

Gert Wollny (gert-die) wrote :

Same goes for pinning. Here one can work around this bug by pinning all the releases, e.g. to get package foo from jaunty any everything else from interpid your /etc/apt/preferences should look somewhat like this:

Package: foo
Pin: release a=jaunty
Pin-Priority: 991

Package: *
Pin: release a=intrepid
Pin-Priority: 990

Package: *
Pin: release a=intrepid-updates
Pin-Priority: 990

Package: *
Pin: release a=intrepid-security
Pin-Priority: 990

Package: *
Pin: release a=intrepid-backports
Pin-Priority: 990

Claude Brisson (claude-renegat) wrote :

This problem could be solved by changing APT::Default-Release behaviour: it could only consider the first part of a package suite name whenever it contains a dash.

helix84 (helix84) on 2009-06-23
Changed in apt (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Jamie Strandboge (jdstrand) wrote :

Please don't assign the security team to bugs. If a bug is deemed a security issue, subscribe the team instead.

Changed in apt (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Jamie Strandboge (jdstrand) wrote :

Just tested on Jaunty and confirmed the issue. However, I don't consider this a security bug because one can simply set the default release to 'hardy-security' as opposed to 'hardy'. This is at worst a documentation issue.

Changed in apt (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
summary: - Setting APT::Default-Release blocks security fix and updates
+ apt documentation for APT::Default-Release is not clear regarding
+ security updates
Leonid Evdokimov (darkk) wrote :

As far as I see, karmic is not affected, right?

Julian Andres Klode (juliank) wrote :

In apt 0.8.X, you can just pin by regex or glob:

  Package: *
  Pin: release a=natty*
  Pin-Priority: 990

or
  Package: *
  Pin: release a=/natty.*/
  Pin-Priority: 990

Same goes for Default-Release:
  Apt::Default-Release "natty*";
or
  Apt::Default-Release "/natty.*/";

It's not documented, though.

You can also set Apt::Default-Release to the Version instead of the Suite. In other words, 'Apt::Default-Release "16.04";' will match all of the package sources for xenial.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers