WARNING: these commands can be very disruptive. review each of the files in this gist and on the filesystem which they will replace before executing the commands below.
when you run apt update, this script will be executed automatically. for each vulnerable package in testing which has been fixed in unstable, it will create a priority 990 pin for the unstable package.
It is a good idea to install security updates from unstable since they take extra time to reach testing and the security team only releases updates to unstable. If you have unstable in your apt sources but pinned lower than testing, you can automatically add temporary pinning for packages with security issues fixed in unstable using the output of debsecan.
the installation section assumes that you are running debian testing and have the unstable repositories enabled and pinned at a lower priority than staging. you can usually achieve this by running the following as root:
# curl -o /etc/apt/apt.conf.d/00default-release https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/698266fc043d6e906189b14e3428187ff0e7e7c8/00default-release # curl -o /etc/apt/sources.list https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/698266fc043d6e906189b14e3428187ff0e7e7c8/sources.list # apt update
execute the following commands as root:
# apt install -y debsecan # curl -o /usr/sbin/debsecan-apt-priority https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/698266fc043d6e906189b14e3428187ff0e7e7c8/debsecan-apt-priority # curl -o /etc/apt/apt.conf.d/99debsecan https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/698266fc043d6e906189b14e3428187ff0e7e7c8/99debsecan # chmod 755 /usr/sbin/debsecan-apt-priority # ln -sf /var/lib/debsecan/apt_preferences /etc/apt/preferences.d/unstable-security-packages # apt update
i recommend always running chromium and firefox from unstable:
# curl -o /etc/apt/preferences.d/unstable-packages https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/698266fc043d6e906189b14e3428187ff0e7e7c8/unstable-packages # apt update && apt install -y chromium firefox
note: uninstalling will not downgrade packages to their testing versions. you will need to do this yourself or wait for the packages to catch up on their own (which should typically happen within a few weeks).
# rm -f /etc/apt/preferences.d/unstable-security-packages # rm -f /etc/apt/apt.conf.d/99debsecan # apt update