Skip to content

Instantly share code, notes, and snippets.

@khimaros
Last active November 25, 2024 19:09
Show Gist options
  • Save khimaros/21db936fa7885360f7bfe7f116b78daf to your computer and use it in GitHub Desktop.
Save khimaros/21db936fa7885360f7bfe7f116b78daf to your computer and use it in GitHub Desktop.
debian testing with automatic security updates from unstable
@khimaros
Copy link
Author

@martin-braun -- this is needed because there is still a delay (sometimes as long as weeks) between fixes entering testing-security from the unstable repo.

@martin-braun
Copy link

martin-braun commented Feb 22, 2022

@khimaros Thanks for the quick response, I already removed my comment, because I realized this by myself. However one more thing: https://gist.github.com/khimaros/21db936fa7885360f7bfe7f116b78daf#file-debsecan-apt-priority-L27

This looks wrong to me, shouldn't the first EOF stay behind like at https://gist.github.com/khimaros/21db936fa7885360f7bfe7f116b78daf#file-debsecan-apt-priority-L13 ?

In any case, I will try this on a clean Debian in combination with additional Sparky repositories, will see how it goes. Thanks for your work.

@khimaros
Copy link
Author

@martin-braun -- either syntax works. actually, i should mention that this file actually came from another repository https://gitlab.com/anarcat/puppet/-/raw/b6bc3e3dc982abcc4100143abb6594404b1241ac/site-modules/profile/files/debsecan-apt-priority which was originally started collaboratively on this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725934

@martin-braun
Copy link

@khimaros Great, thanks a lot! :) I'm using your solution and I hope it will work out in the long run. Thanks sharing!

@jmzumg
Copy link

jmzumg commented May 17, 2022

@khimaros

Thank you for the instructions and scripts here. There were extremely enlightening.

However I believe there is one small error in the instructions in README.md.

I believe the following line:

ln -sf /var/lib/debsecan/apt_priorities /etc/apt/preferences.d/unstable-security-packages

should actually read:

ln -sf /var/lib/debsecan/apt_preferences /etc/apt/preferences.d/unstable-security-packages

Otherwise the symbolic link points to a non-existent file. apt outputs the following error:

N: Ignoring `unstable-security-packages` in directory '/etc/apt/preferences.d/ as it is not a regular file

and the packages pinned by debsecan do not get upgraded.

I have tested using ln -sf /var/lib/debsecan/apt_preferences /etc/apt/preferences.d/unstable-security-packages instead and everything seems to work.

Thanks again for the instructions :)

@khimaros
Copy link
Author

khimaros commented Jun 7, 2022

@jmzumg thank you, updated!

@ericwikman
Copy link

I think that for bookworm+ that you need to add non-free-firmware to the sources.list file.

https://wiki.debian.org/Firmware

Thanks for maintaining this!

@crpb
Copy link

crpb commented Dec 16, 2022

A suggestion
I would change the content of /etc/apt/apt/conf.d./99debscan to

APT::Update::Post-Invoke { "/usr/sbin/debsecan-apt-priority"; };

just to make sure we have the latest Info before doing any pinning'.

I ran into the issue that it did pin some package which wasn't available anymore because the system wasn't running for a few days and so a second apt-get update was needed to "fix" that 🙈

@khimaros
Copy link
Author

khimaros commented May 4, 2023

@crpb thanks for the suggestion, done!

@bilvapatra
Copy link

The link to enable-unstable-updates.sh used in the installation section points to a version of 99debsecan that still says Pre-Invoke rather than Post-Invoke.

@yknip0
Copy link

yknip0 commented Nov 9, 2023

The link to enable-unstable-updates.sh used in the installation section points to a version of 99debsecan that still says Pre-Invoke rather than Post-Invoke.

Still true today...
sed -i 's/Pre-/Post-/' /etc/apt/apt.conf.d/99debsecan

Thank you khimaros!

@Daniel15
Copy link

Thanks for this! Very useful.

@thunderbird-93
Copy link

very useful indeed. more people should know about this. best of the both worlds: relatively fresh packages yet quite stable.

@quiteBold
Copy link

Hej @khimaros,

thanks a lot for your work! I just "installed" and so far it works fine. 👍

I myself use debian without root user, so always sudo it is. Therefore a had a lot of line by line copying, which is fine, but maybe it is worth thinking to have the sudo way instead of the root way.

Again: Thanks for your work! <3
Simon

@crpb
Copy link

crpb commented Nov 25, 2024

@quiteBold

so always sudo it is

why not just use sudo -i and be root for the moment?

@khimaros
Copy link
Author

maintaining the hashes for all of these files has become onerous.

i've moved development to https://github.com/khimaros/debian-hybrid

please see the updated instructions there for how to use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment