[Bug 295448] Re: apt documentation for APT::Default-Release is not clear regarding security updates

Paul Donohue ubuntu at PaulSD.com
Sun May 1 14:14:03 UTC 2016 

You can also set Apt::Default-Release to the Version instead of the
Suite.  In other words, 'Apt::Default-Release "16.04";' will match all
of the package sources for xenial.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/295448

Title:
  apt documentation for APT::Default-Release is not clear regarding
  security updates

Status in apt package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: apt

  This is related to all versions before Hardy (include). I haven't
  tested this on Intrepid so I'm not sure about those versions after
  Hardy.

  According to apt_preferences manpage, the target release can be set on
  the apt-get command line or in the APT configuration file
  /etc/apt/apt.conf, and "APT::Default-Release "stable";" is given out
  as an example. This is a very common and popular practice used in
  Debian community to set the default release and using apt-pin, but
  doing this in Ubuntu leads to serious security impact with no obvious
  warning.

  After setting APT::Default-Release to "hardy", which is the "Suite"
  name for main hardy source, no security fixes nor updates would be
  installed unless their priorities are also set explicitly in
  apt_preferences. This is because that in Ubuntu's world, security
  fixes are from "hardy-security" source and other updates are from
  "hardy-updates" source, which bear different "Suite" from the main
  source. Setting APT::Default-Release rises the priority of packages
  from main source to 990, but doesn't cover packages from hardy-
  security and hardy-updates, so the latter are ignored since their
  packages now has lower priority (priority 500 only) than those old
  ones in main source (990).

  I set APT::Default-Release to "hardy" on Sep this year until I found
  this problem today. Removed that setting and I'm surprised to found
  that I can install 46 security fixes and updates accumulated. Which is
  pretty sad to me that got known I haven't got security fixes for more
  than 2 months.

  This is a radical deviation from the Debian practice. In Debian all
  security fixes and updates bear the same "Suite" (etch or lenny) so
  setting APT::Default-Release to "etch" covers all security fixes and
  updates.

  I think it's unlikely that Ubuntu changes the organization of it's
  source, so at least a fix to this problem is patching the
  apt_preferences manpage, alerting people not to use APT::Default-
  Release like they have used this in Debian and the reason and the
  following impacts.

  Version information of my apt from Hardy:
  Architecture: i386
  Version: 0.7.9ubuntu17.1

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/295448/+subscriptions

More information about the foundations-bugs mailing list