THIS GIST HAS MOVED TO https://github.com/khimaros/debian-hybrid
PLEASE READ THE UPDATED INSTRUCTIONS CAREFULLY.
THIS GIST HAS MOVED TO https://github.com/khimaros/debian-hybrid
PLEASE READ THE UPDATED INSTRUCTIONS CAREFULLY.
@khimaros Thanks for the quick response, I already removed my comment, because I realized this by myself. However one more thing: https://gist.github.com/khimaros/21db936fa7885360f7bfe7f116b78daf#file-debsecan-apt-priority-L27
This looks wrong to me, shouldn't the first EOF stay behind like at https://gist.github.com/khimaros/21db936fa7885360f7bfe7f116b78daf#file-debsecan-apt-priority-L13 ?
In any case, I will try this on a clean Debian in combination with additional Sparky repositories, will see how it goes. Thanks for your work.
@martin-braun -- either syntax works. actually, i should mention that this file actually came from another repository https://gitlab.com/anarcat/puppet/-/raw/b6bc3e3dc982abcc4100143abb6594404b1241ac/site-modules/profile/files/debsecan-apt-priority which was originally started collaboratively on this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725934
@khimaros Great, thanks a lot! :) I'm using your solution and I hope it will work out in the long run. Thanks sharing!
Thank you for the instructions and scripts here. There were extremely enlightening.
However I believe there is one small error in the instructions in README.md
.
I believe the following line:
ln -sf /var/lib/debsecan/apt_priorities /etc/apt/preferences.d/unstable-security-packages
should actually read:
ln -sf /var/lib/debsecan/apt_preferences /etc/apt/preferences.d/unstable-security-packages
Otherwise the symbolic link points to a non-existent file. apt outputs the following error:
N: Ignoring `unstable-security-packages` in directory '/etc/apt/preferences.d/ as it is not a regular file
and the packages pinned by debsecan do not get upgraded.
I have tested using ln -sf /var/lib/debsecan/apt_preferences /etc/apt/preferences.d/unstable-security-packages
instead and everything seems to work.
Thanks again for the instructions :)
@jmzumg thank you, updated!
I think that for bookworm+ that you need to add non-free-firmware to the sources.list file.
https://wiki.debian.org/Firmware
Thanks for maintaining this!
A suggestion
I would change the content of /etc/apt/apt/conf.d./99debscan
to
APT::Update::Post-Invoke { "/usr/sbin/debsecan-apt-priority"; };
just to make sure we have the latest Info before doing any pinning'.
I ran into the issue that it did pin some package which wasn't available anymore because the system wasn't running for a few days and so a second apt-get update
was needed to "fix" that 🙈
@crpb thanks for the suggestion, done!
The link to enable-unstable-updates.sh
used in the installation section points to a version of 99debsecan
that still says Pre-Invoke
rather than Post-Invoke
.
The link to
enable-unstable-updates.sh
used in the installation section points to a version of99debsecan
that still saysPre-Invoke
rather thanPost-Invoke
.
Still true today...
sed -i 's/Pre-/Post-/' /etc/apt/apt.conf.d/99debsecan
Thank you khimaros!
Thanks for this! Very useful.
very useful indeed. more people should know about this. best of the both worlds: relatively fresh packages yet quite stable.
Hej @khimaros,
thanks a lot for your work! I just "installed" and so far it works fine. 👍
I myself use debian without root user, so always sudo it is. Therefore a had a lot of line by line copying, which is fine, but maybe it is worth thinking to have the sudo way instead of the root way.
Again: Thanks for your work! <3
Simon
maintaining the hashes for all of these files has become onerous.
i've moved development to https://github.com/khimaros/debian-hybrid
please see the updated instructions there for how to use.
@martin-braun -- this is needed because there is still a delay (sometimes as long as weeks) between fixes entering testing-security from the unstable repo.