Bug#992051: security archive layout change needs more configuration changes

Tue, 10 Aug 2021 04:09:24 -0700 

Control: tags -1 patch

Hi all,

On 10-08-2021 07:55, Paul Gevers wrote:
> Yesterday I noticed that the layout change of the security impacts more
> than just the apt *sources* as my system wasn't updating perl,
> libencode-perl and exiv2. I already enabled the new security archive
> layout a long time ago (and apt will complain when the sources are not
> found). I discussed the issue on IRC on #d-release with juliank (apt
> upstream). What users *need* to be aware of is that apt pinning (pabs
> told me) and APT::Default-Release (found myself) may need adjustments
> too, otherwise security updates are not installed.
> 
> I'm working on text for the release notes, but I fear a lot of users
> will not be reading those and when they upgrade their secure buster
> systems and only fix their apt sources, depending on how they configure
> their system to follow bullseye, they may easily miss out on security
> updates.

Please find attached my proposal, ready to push.

Paul

From 3e106d7ef0412530a0a9643032edb7bd4b453d74 Mon Sep 17 00:00:00 2001
From: Paul Gevers <elb...@debian.org>
Date: Tue, 10 Aug 2021 13:03:30 +0200
Subject: [PATCH] issues.dbk: security archive requires update to pinning and
 Default-Release

Closes: #992051
---
 en/issues.dbk | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/en/issues.dbk b/en/issues.dbk
index 1fbba7a3..e0d5fb11 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -81,6 +81,18 @@
 	The security line in your APT configuration may look like:
 	<programlisting>deb https://deb.debian.org/debian-security bullseye-security main contrib</programlisting>
       </para>
+      <para>
+	If APT is configured using APT pinning or
+	<literal>APT::Default-Release</literal>, the configuration
+	most likely need updating as the codename of the security
+	archive no longer matches that of the regular archive. An
+	example of a working <literal>APT::Default-Release</literal>
+	line for bullseye looks:
+	<programlisting>APT::Default-Release "/^bullseye(|-security|-upgrades)$/";</programlisting>
+	which takes advantage of the undocumented feature of APT that
+	it supports POSIX fnmatch patterns and regular expressions
+	(inside <literal>/</literal>).
+      </para>
     </section>
 
     <section id="pam-default-password">
-- 
2.30.2

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to