Mixed distribution repository pinning with slimmed down sources.list produces unwanted results
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: apt
In a nutshell, we build appliances based on Ubuntu LTS (pinned with priority 650). Some appliances include selected packages from Debian stable, pinned with a higher priority (700) than Ubuntu, and all other Debian packages pinned lower (650) than Ubuntu.
Under regular circumstances, the above pinning results in the expected behavior.
Recently we discovered that our auto security update configuration [1] installs packages from Debian which should not be installed, as they have a lower priority than Ubuntu. It seems to do this due to several factors, the main one being that the sources.list specified in the security update includes newer Debian packages that don't exist in the Ubuntu security repository.
An example might explain the above more clearly:
Tested on:
turnkey-
apt 0.7.9ubuntu17.2
/etc/apt/
Package: phpmyadmin*
Pin: release o=Debian
Pin-Priority: 700
Package: *
Pin: release o=Ubuntu
Pin-Priority: 650
Package: *
Pin: release o=Debian
Pin-Priority: 600
Note, phpmyadmin includes an asterisk to workaround the bug: APT wants to downgrade packages with pin-priority less than 1000 [2].
/etc/apt/
deb http://
deb http://
deb http://
apt-get dist-upgrade -s -o APT::Get:
Inst libc6-dev [2.7-10ubuntu5] (2.7-18lenny2 Debian-
Inst libc6 [2.7-10ubuntu5] (2.7-18lenny2 Debian-
Conf libc6 (2.7-18lenny2 Debian-
Inst libltdl3 [1.5.26-1ubuntu1] (1.5.26-4+lenny1 Debian-
Inst phpmyadmin [4:2.11.
Conf libc6-dev (2.7-18lenny2 Debian-
Conf libltdl3 (1.5.26-4+lenny1 Debian-
Conf phpmyadmin (4:2.11.
The desired behavior should only be installing phpmyadmin.
If all sources.list's are used, then only the pinned Debian packages will be upgraded (as expected), but with the unwanted side effect that newer packages available in Ubuntu will be installed, which are not necessarily security updates.
/etc/apt/
deb http://
deb http://
deb http://
deb http://
apt-get dist-upgrade -s -o APT::Get:
Inst phpmyadmin [4:2.11.
Conf phpmyadmin (4:2.11.
In the search for a workaround:
Changing the Debian release priority to 99 will not install any Debian updates (phpmyadmin), even though it is pinned with a high priority.
But, in addition to dropping the Debian priority, if we also remove the asterisk (phpmyadmin* -> phpmyadmin), we are able to produce the desired behavior.
Is this a bug? A few bugs?
Or am I missing something painfully obvious?
[1] http://
[2] https:/
> Package: phpmyadmin*
that is not supported, setting as duplicate