Mixed distribution repository pinning with slimmed down sources.list produces unwanted results

Bug #550307 reported by Alon Swartz
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: apt

In a nutshell, we build appliances based on Ubuntu LTS (pinned with priority 650). Some appliances include selected packages from Debian stable, pinned with a higher priority (700) than Ubuntu, and all other Debian packages pinned lower (650) than Ubuntu.

Under regular circumstances, the above pinning results in the expected behavior.

Recently we discovered that our auto security update configuration [1] installs packages from Debian which should not be installed, as they have a lower priority than Ubuntu. It seems to do this due to several factors, the main one being that the sources.list specified in the security update includes newer Debian packages that don't exist in the Ubuntu security repository.

An example might explain the above more clearly:

Tested on:
    turnkey-mysql-2009.10-hardy-x86 (I.e. Ubuntu LTS - Hardy)
    apt 0.7.9ubuntu17.2

/etc/apt/preferences

    Package: phpmyadmin*
    Pin: release o=Debian
    Pin-Priority: 700

    Package: *
    Pin: release o=Ubuntu
    Pin-Priority: 650

    Package: *
    Pin: release o=Debian
    Pin-Priority: 600

Note, phpmyadmin includes an asterisk to workaround the bug: APT wants to downgrade packages with pin-priority less than 1000 [2].

/etc/apt/sources.list.d/security.sources.list

    deb http://archive.ubuntu.com/ubuntu hardy-security main
    deb http://archive.ubuntu.com/ubuntu hardy-security universe
    deb http://security.debian.org/ lenny/updates main

apt-get dist-upgrade -s -o APT::Get::Show-Upgraded=true -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/security.sources.list -o Dir::Etc::sourceparts=nonexistent |grep Debian

    Inst libc6-dev [2.7-10ubuntu5] (2.7-18lenny2 Debian-Security:5.0/stable) []
    Inst libc6 [2.7-10ubuntu5] (2.7-18lenny2 Debian-Security:5.0/stable)
    Conf libc6 (2.7-18lenny2 Debian-Security:5.0/stable)
    Inst libltdl3 [1.5.26-1ubuntu1] (1.5.26-4+lenny1 Debian-Security:5.0/stable)
    Inst phpmyadmin [4:2.11.8.1-5+lenny1] (4:2.11.8.1-5+lenny3 Debian-Security:5.0/stable)
    Conf libc6-dev (2.7-18lenny2 Debian-Security:5.0/stable)
    Conf libltdl3 (1.5.26-4+lenny1 Debian-Security:5.0/stable)
    Conf phpmyadmin (4:2.11.8.1-5+lenny3 Debian-Security:5.0/stable)

The desired behavior should only be installing phpmyadmin.

If all sources.list's are used, then only the pinned Debian packages will be upgraded (as expected), but with the unwanted side effect that newer packages available in Ubuntu will be installed, which are not necessarily security updates.

/etc/apt/sources.list.d/sources.list

    deb http://archive.ubuntu.com/ubuntu hardy main
    deb http://archive.ubuntu.com/ubuntu hardy universe
    deb http://archive.ubuntu.com/ubuntu hardy-updates main
    deb http://archive.ubuntu.com/ubuntu hardy-updates universe

apt-get dist-upgrade -s -o APT::Get::Show-Upgraded=true |grep Debian

    Inst phpmyadmin [4:2.11.8.1-5+lenny1] (4:2.11.8.1-5+lenny3 Debian-Security:5.0/stable)
    Conf phpmyadmin (4:2.11.8.1-5+lenny3 Debian-Security:5.0/stable)

In the search for a workaround:

Changing the Debian release priority to 99 will not install any Debian updates (phpmyadmin), even though it is pinned with a high priority.

But, in addition to dropping the Debian priority, if we also remove the asterisk (phpmyadmin* -> phpmyadmin), we are able to produce the desired behavior.

Is this a bug? A few bugs?
Or am I missing something painfully obvious?

[1] http://www.turnkeylinux.org/docs/automatic-security-updates
[2] https://bugs.launchpad.net/ubuntu/+source/apt/+bug/315175

Revision history for this message
Rolf Leggewie (r0lf) wrote :

> Package: phpmyadmin*

that is not supported, setting as duplicate

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.