Dev1 Galaxy Forum / Security Updates for Beowulf not installed automatically

Re: Security Updates for Beowulf not installed automatically

dummy@example.com (pcalvert) — Thu, 05 Mar 2020 18:17:55 +0000

Devuan ASCII has the same problem. I encountered it last year.

See: https://dev1galaxy.org/viewtopic.php?pid=14632#p14632

Phil

Re: Security Updates for Beowulf not installed automatically

dummy@example.com (igs) — Wed, 04 Mar 2020 17:26:53 +0000

LeePen wrote:

Hi,
Is the Default-release setting actually required? You only appear to have beowulf sources.

Some of my running systems have a Debian/Devuan history back to Debian Potato. I'm using private repositories e.g. for self-built backports and over the time it is often necessary to include other repositories. E.g. my more than 10 year old Zope 2.13 installation still running under Beowulf requires the 'python-virtualenv' package from Debian Wheezy.

In the 'apt policy' output above I've cut out the unrelated repositories. Sorry.

So I always use 'Default-release' on all of my systems and up to now that never was a problem.

Re: Security Updates for Beowulf not installed automatically

dummy@example.com (rolfie) — Wed, 04 Mar 2020 12:47:57 +0000

This is from a native Beowulf installed from a netinstall image last spring/summer:

apt policy
Paketdateien:
 100 /var/lib/dpkg/status
     release a=now
 500 http://deb.devuan.org/merged beowulf-updates/main amd64 Packages
     release v=3.0.0,o=Devuan,a=testing-updates,n=beowulf-updates,l=Devuan,c=main,b=amd64
     origin deb.devuan.org
 500 http://deb.devuan.org/merged beowulf-security/non-free amd64 Packages
     release v=3.0.0,o=Devuan,a=testing-security,n=beowulf-security,l=Devuan-Security,c=non-free,b=amd64
     origin deb.devuan.org
 500 http://deb.devuan.org/merged beowulf-security/main amd64 Packages
     release v=3.0.0,o=Devuan,a=testing-security,n=beowulf-security,l=Devuan-Security,c=main,b=amd64
     origin deb.devuan.org
 500 http://deb.devuan.org/merged beowulf/contrib amd64 Packages
     release v=3.0,o=Devuan,a=testing,n=beowulf,l=Devuan,c=contrib,b=amd64
     origin deb.devuan.org
 500 http://deb.devuan.org/merged beowulf/non-free amd64 Packages
     release v=3.0,o=Devuan,a=testing,n=beowulf,l=Devuan,c=non-free,b=amd64
     origin deb.devuan.org
 500 http://deb.devuan.org/merged beowulf/main amd64 Packages
     release v=3.0,o=Devuan,a=testing,n=beowulf,l=Devuan,c=main,b=amd64
     origin deb.devuan.org

I am receiving security updates every now and then.

rolfie

Re: Security Updates for Beowulf not installed automatically

dummy@example.com (LeePen) — Wed, 04 Mar 2020 11:38:16 +0000

Hi,

Is the Default-release setting actually required? You only appear to have beowulf sources.

I have a beowulf VM that installs security updates fine without Default-release being set. Both beowulf and beowulf-security being priority 500.

If you want to report this as a bug, then amprolla is the correct package to report against using reportbug. It is a pseudo-package so you will need to put 'other' at the first package prompt to get to the list of available pseudopackages.

Mark

Re: Security Updates for Beowulf not installed automatically

dummy@example.com (igs) — Wed, 04 Mar 2020 08:19:03 +0000

So I've found a workaround by creating

/etc/apt/preferences.d/security.pref

with the following content:

Package: *
Pin: release n=beowulf-security
Pin-Priority: 990

But from my point of view this is a workaround and not a fix. Adding the security repository in the 'sources.list' file should be enough and instantly enable installing security fixes.

I'm sure the problem is located in the 'Release' file of the repository.

Is there a place where I can open an issue for that? 'reportbug' seems not to work for that as the problem here is not package related but repository related.

Re: Security Updates for Beowulf not installed automatically

dummy@example.com (golinux) — Tue, 03 Mar 2020 23:45:48 +0000

It seems to be there:
https://pkginfo.devuan.org/cgi-bin/d1pk … se=beowulf

Sorry, I haven't a clue.

Re: Security Updates for Beowulf not installed automatically

dummy@example.com (igs) — Tue, 03 Mar 2020 23:09:22 +0000

thanks, but that does not help.

The 'apt policy' command helps a little bit forward:
Devuan:

# apt policy
Package files:
 100 /var/lib/dpkg/status
     release a=now
 500 http://deb.devuan.org/merged beowulf-security/main amd64 Packages
     release v=3.0.0,o=Devuan,a=testing-security,n=beowulf-security,l=Devuan-Security,c=main,b=amd64
     origin deb.devuan.org
 500 http://deb.devuan.org/merged beowulf-updates/main amd64 Packages
     release v=3.0.0,o=Devuan,a=testing-updates,n=beowulf-updates,l=Devuan,c=main,b=amd64
     origin deb.devuan.org
 990 http://deb.devuan.org/merged beowulf/main amd64 Packages
     release v=3.0,o=Devuan,a=testing,n=beowulf,l=Devuan,c=main,b=amd64
     origin deb.devuan.org
Pinned packages:
     systemd-sysv -> 44-11+deb7u4 with priority -1

Debian:

# apt policy
Package files:
 100 /var/lib/dpkg/status
     release a=now
 500 http://ftp2.de.debian.org/debian buster-updates/main i386 Packages
     release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=main,b=i386
     origin ftp2.de.debian.org
 500 http://ftp2.de.debian.org/debian buster-updates/main amd64 Packages
     release o=Debian,a=stable-updates,n=buster-updates,l=Debian,c=main,b=amd64
     origin ftp2.de.debian.org
 990 http://security.debian.org/debian-security buster/updates/main i386 Packages
     release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=main,b=i386
     origin security.debian.org
 990 http://security.debian.org/debian-security buster/updates/main amd64 Packages
     release v=10,o=Debian,a=stable,n=buster,l=Debian-Security,c=main,b=amd64
     origin security.debian.org
 990 http://ftp2.de.debian.org/debian buster/main i386 Packages
     release v=10.3,o=Debian,a=stable,n=buster,l=Debian,c=main,b=i386
     origin ftp2.de.debian.org
 990 http://ftp2.de.debian.org/debian buster/main amd64 Packages
     release v=10.3,o=Debian,a=stable,n=buster,l=Debian,c=main,b=amd64
     origin ftp2.de.debian.org
Pinned packages:

As it can be seen, Debian sets the 'a=' and 'n=' to the same value for security and the main repo while Devuan sets different values.

So the question is: Is there a good reason to do that or it is a bug?

Re: Security Updates for Beowulf not installed automatically

dummy@example.com (golinux) — Tue, 03 Mar 2020 22:48:40 +0000

auto.mirror has been deprecated for a long time. Also Country Codes are not currently available for Devuan. Please try deb.devuan.org to see if that fixes things.

Security Updates for Beowulf not installed automatically

dummy@example.com (igs) — Tue, 03 Mar 2020 22:28:43 +0000

I've set default release to 'beowulf' in /etc/apt/apt.conf.d/Default-release

So Beowulf packages get apt priority 990. So far correct.

Also I like to get security updates. So I have the following line in my sources.list file:

deb http://auto.mirror.devuan.org/merged beowulf-security main

Unfortunately security updates become not installed automatically as these packages get priority 500. Sample:

# apt policy php7.3
php7.3:
  Installed: 7.3.14-1~deb10u1
  Candidate: 7.3.14-1~deb10u1
  Version table:
 *** 7.3.14-1~deb10u1 500
        500 http://auto.mirror.devuan.org/merged beowulf-security/main amd64 Packages
        100 /var/lib/dpkg/status
     7.3.11-1~deb10u1 990
        990 http://auto.mirror.devuan.org/merged beowulf/main amd64 Packages

(The package was upgraded manually)

Due to I still have a Buster server running (sorry) I see that in Debian the security updates get priority 990 too when Default-release is set to 'buster'. So security updates become installed automatically.

# apt policy php7.3
php7.3:
  Installed: (none)
  Candidate: 7.3.14-1~deb10u1
  Version table:
     7.3.14-1~deb10u1 990
        990 http://security.debian.org/debian-security buster/updates/main amd64 Packages
        990 http://security.debian.org/debian-security buster/updates/main i386 Packages
     7.3.11-1~deb10u1 990
        990 http://ftp2.de.debian.org/debian buster/main amd64 Packages
        990 http://ftp2.de.debian.org/debian buster/main i386 Packages

Is this intended or a bug or do I something wrong?

Is there an easy workaround by pinning?

Thanks