martin-braun/00default-release

## 00default-release
APT::Default-Release "testing";

## 99debsecan
APT::Update::Pre-Invoke { "/usr/sbin/debsecan-apt-priority"; };

## README.md

      
    Raw
  

              README.md
            
          
    overview

WARNING: these commands can be very disruptive. review each of the files in this gist and on the filesystem which they will replace before executing the commands below.
when you run apt update, this script will be executed automatically. for each vulnerable package in testing which has been fixed in unstable, it will create a priority 990 pin for the unstable package.
background

from https://wiki.debian.org/DebianTesting:

It is a good idea to install security updates from unstable since they take extra time to reach testing and the security team only releases updates to unstable. If you have unstable in your apt sources but pinned lower than testing, you can automatically add temporary pinning for packages with security issues fixed in unstable using the output of debsecan.

prerequisites

the installation section assumes that you are running debian testing and have the unstable repositories enabled and pinned at a lower priority than staging. you can usually achieve this by running the following as root:
# curl -o /etc/apt/apt.conf.d/00default-release https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/698266fc043d6e906189b14e3428187ff0e7e7c8/00default-release
# curl -o /etc/apt/sources.list https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/698266fc043d6e906189b14e3428187ff0e7e7c8/sources.list
# apt update

installation

execute the following commands as root:
# apt install -y debsecan
# curl -o /usr/sbin/debsecan-apt-priority https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/698266fc043d6e906189b14e3428187ff0e7e7c8/debsecan-apt-priority
# curl -o /etc/apt/apt.conf.d/99debsecan https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/698266fc043d6e906189b14e3428187ff0e7e7c8/99debsecan
# chmod 755 /usr/sbin/debsecan-apt-priority
# ln -sf /var/lib/debsecan/apt_priorities /etc/apt/preferences.d/unstable-security-packages
# apt update

special cases

i recommend always running chromium and firefox from unstable:
# curl -o /etc/apt/preferences.d/unstable-packages https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/698266fc043d6e906189b14e3428187ff0e7e7c8/unstable-packages
# apt update && apt install -y chromium firefox

uninstallation

note: uninstalling will not downgrade packages to their testing versions. you will need to do this yourself or wait for the packages to catch up on their own (which should typically happen within a few weeks).
# rm -f /etc/apt/preferences.d/unstable-security-packages
# rm -f /etc/apt/apt.conf.d/99debsecan
# apt update


## debsecan-apt-priority
#!/bin/sh

# this program will add APT pinning for packages that are fixed in
# unstable and not testing
#
# see https://bugs.debian.org/725934

set -e

echo "running debsecan check for issues fixed in unstable..." >&2

rm -f /var/lib/debsecan/apt_preferences.disabled
cat > /var/lib/debsecan/apt_preferences.disabled <<EOF
# pin packages with security issues fixed in unstable
# generated automatically on $(date) by $0

EOF

for pkg in $(debsecan --suite=sid --only-fixed | cut -d\  -f2 | sort -u) ; do
    suite=unstable
    case "$pkg" in
        *-dbgsym)
            suite=unstable-debug
            ;;
    esac
    echo "adding pin to suite $suite for package $pkg" >&2
    cat <<EOF >> /var/lib/debsecan/apt_preferences.disabled
Package: $pkg
Pin: release a=$suite
Pin-Priority: 990

EOF
done
chmod 644 /var/lib/debsecan/apt_preferences.disabled
mv --force /var/lib/debsecan/apt_preferences.disabled /var/lib/debsecan/apt_preferences

## sources.list
deb http://deb.debian.org/debian/ testing main non-free contrib
deb-src http://deb.debian.org/debian/ testing main non-free contrib

deb http://security.debian.org/debian-security testing-security main contrib non-free
deb-src http://security.debian.org/debian-security testing-security main contrib non-free

deb http://deb.debian.org/debian/ unstable main non-free contrib
deb-src http://deb.debian.org/debian/ unstable main non-free contrib

## unstable-packages
Package: chromium chromium-sandbox chromium-common
Pin: release a=unstable
Pin-Priority: 990

Package: firefox libnss3 libnss3:i386 libnss3-dev
Pin: release a=unstable
Pin-Priority: 990
	#!/bin/sh

	# this program will add APT pinning for packages that are fixed in
	# unstable and not testing
	#
	# see https://bugs.debian.org/725934

	set -e

	echo "running debsecan check for issues fixed in unstable..." >&2

	rm -f /var/lib/debsecan/apt_preferences.disabled
	cat > /var/lib/debsecan/apt_preferences.disabled <<EOF
	# pin packages with security issues fixed in unstable
	# generated automatically on $(date) by $0

	EOF

	for pkg in $(debsecan --suite=sid --only-fixed \| cut -d\ -f2 \| sort -u) ; do
	suite=unstable
	case "$pkg" in
	*-dbgsym)
	suite=unstable-debug
	;;
	esac
	echo "adding pin to suite $suite for package $pkg" >&2
	cat <<EOF >> /var/lib/debsecan/apt_preferences.disabled
	Package: $pkg
	Pin: release a=$suite
	Pin-Priority: 990

	EOF
	done
	chmod 644 /var/lib/debsecan/apt_preferences.disabled
	mv --force /var/lib/debsecan/apt_preferences.disabled /var/lib/debsecan/apt_preferences
	deb http://deb.debian.org/debian/ testing main non-free contrib
	deb-src http://deb.debian.org/debian/ testing main non-free contrib

	deb http://security.debian.org/debian-security testing-security main contrib non-free
	deb-src http://security.debian.org/debian-security testing-security main contrib non-free

	deb http://deb.debian.org/debian/ unstable main non-free contrib
	deb-src http://deb.debian.org/debian/ unstable main non-free contrib
	Package: chromium chromium-sandbox chromium-common
	Pin: release a=unstable
	Pin-Priority: 990

	Package: firefox libnss3 libnss3:i386 libnss3-dev
	Pin: release a=unstable
	Pin-Priority: 990