Mixed distribution repository pinning with slimmed down sources.list produces unwanted results

Bug #550307 reported by Alon Swartz on 2010-03-28
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)

Bug Description

Binary package hint: apt

In a nutshell, we build appliances based on Ubuntu LTS (pinned with priority 650). Some appliances include selected packages from Debian stable, pinned with a higher priority (700) than Ubuntu, and all other Debian packages pinned lower (650) than Ubuntu.

Under regular circumstances, the above pinning results in the expected behavior.

Recently we discovered that our auto security update configuration [1] installs packages from Debian which should not be installed, as they have a lower priority than Ubuntu. It seems to do this due to several factors, the main one being that the sources.list specified in the security update includes newer Debian packages that don't exist in the Ubuntu security repository.

An example might explain the above more clearly:

Tested on:
    turnkey-mysql-2009.10-hardy-x86 (I.e. Ubuntu LTS - Hardy)
    apt 0.7.9ubuntu17.2


    Package: phpmyadmin*
    Pin: release o=Debian
    Pin-Priority: 700

    Package: *
    Pin: release o=Ubuntu
    Pin-Priority: 650

    Package: *
    Pin: release o=Debian
    Pin-Priority: 600

Note, phpmyadmin includes an asterisk to workaround the bug: APT wants to downgrade packages with pin-priority less than 1000 [2].


    deb http://archive.ubuntu.com/ubuntu hardy-security main
    deb http://archive.ubuntu.com/ubuntu hardy-security universe
    deb http://security.debian.org/ lenny/updates main

apt-get dist-upgrade -s -o APT::Get::Show-Upgraded=true -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/security.sources.list -o Dir::Etc::sourceparts=nonexistent |grep Debian

    Inst libc6-dev [2.7-10ubuntu5] (2.7-18lenny2 Debian-Security:5.0/stable) []
    Inst libc6 [2.7-10ubuntu5] (2.7-18lenny2 Debian-Security:5.0/stable)
    Conf libc6 (2.7-18lenny2 Debian-Security:5.0/stable)
    Inst libltdl3 [1.5.26-1ubuntu1] (1.5.26-4+lenny1 Debian-Security:5.0/stable)
    Inst phpmyadmin [4:] (4: Debian-Security:5.0/stable)
    Conf libc6-dev (2.7-18lenny2 Debian-Security:5.0/stable)
    Conf libltdl3 (1.5.26-4+lenny1 Debian-Security:5.0/stable)
    Conf phpmyadmin (4: Debian-Security:5.0/stable)

The desired behavior should only be installing phpmyadmin.

If all sources.list's are used, then only the pinned Debian packages will be upgraded (as expected), but with the unwanted side effect that newer packages available in Ubuntu will be installed, which are not necessarily security updates.


    deb http://archive.ubuntu.com/ubuntu hardy main
    deb http://archive.ubuntu.com/ubuntu hardy universe
    deb http://archive.ubuntu.com/ubuntu hardy-updates main
    deb http://archive.ubuntu.com/ubuntu hardy-updates universe

apt-get dist-upgrade -s -o APT::Get::Show-Upgraded=true |grep Debian

    Inst phpmyadmin [4:] (4: Debian-Security:5.0/stable)
    Conf phpmyadmin (4: Debian-Security:5.0/stable)

In the search for a workaround:

Changing the Debian release priority to 99 will not install any Debian updates (phpmyadmin), even though it is pinned with a high priority.

But, in addition to dropping the Debian priority, if we also remove the asterisk (phpmyadmin* -> phpmyadmin), we are able to produce the desired behavior.

Is this a bug? A few bugs?
Or am I missing something painfully obvious?

[1] http://www.turnkeylinux.org/docs/automatic-security-updates
[2] https://bugs.launchpad.net/ubuntu/+source/apt/+bug/315175

Rolf Leggewie (r0lf) wrote :

> Package: phpmyadmin*

that is not supported, setting as duplicate

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers