Skip to content

Instantly share code, notes, and snippets.

Forked from khimaros/00default-release
Created February 21, 2022 22:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save martin-braun/a6d1ce8d21a36142a3eb48ab2cf24bc5 to your computer and use it in GitHub Desktop.
Save martin-braun/a6d1ce8d21a36142a3eb48ab2cf24bc5 to your computer and use it in GitHub Desktop.
debian testing with automatic security updates from unstable
APT::Default-Release "testing";
APT::Update::Pre-Invoke { "/usr/sbin/debsecan-apt-priority"; };


WARNING: these commands can be very disruptive. review each of the files in this gist and on the filesystem which they will replace before executing the commands below.

when you run apt update, this script will be executed automatically. for each vulnerable package in testing which has been fixed in unstable, it will create a priority 990 pin for the unstable package.



It is a good idea to install security updates from unstable since they take extra time to reach testing and the security team only releases updates to unstable. If you have unstable in your apt sources but pinned lower than testing, you can automatically add temporary pinning for packages with security issues fixed in unstable using the output of debsecan.


the installation section assumes that you are running debian testing and have the unstable repositories enabled and pinned at a lower priority than staging. you can usually achieve this by running the following as root:

# curl -o /etc/apt/apt.conf.d/00default-release
# curl -o /etc/apt/sources.list
# apt update


execute the following commands as root:

# apt install -y debsecan
# curl -o /usr/sbin/debsecan-apt-priority
# curl -o /etc/apt/apt.conf.d/99debsecan
# chmod 755 /usr/sbin/debsecan-apt-priority
# ln -sf /var/lib/debsecan/apt_priorities /etc/apt/preferences.d/unstable-security-packages
# apt update

special cases

i recommend always running chromium and firefox from unstable:

# curl -o /etc/apt/preferences.d/unstable-packages
# apt update && apt install -y chromium firefox


note: uninstalling will not downgrade packages to their testing versions. you will need to do this yourself or wait for the packages to catch up on their own (which should typically happen within a few weeks).

# rm -f /etc/apt/preferences.d/unstable-security-packages
# rm -f /etc/apt/apt.conf.d/99debsecan
# apt update
# this program will add APT pinning for packages that are fixed in
# unstable and not testing
# see
set -e
echo "running debsecan check for issues fixed in unstable..." >&2
rm -f /var/lib/debsecan/apt_preferences.disabled
cat > /var/lib/debsecan/apt_preferences.disabled <<EOF
# pin packages with security issues fixed in unstable
# generated automatically on $(date) by $0
for pkg in $(debsecan --suite=sid --only-fixed | cut -d\ -f2 | sort -u) ; do
case "$pkg" in
echo "adding pin to suite $suite for package $pkg" >&2
cat <<EOF >> /var/lib/debsecan/apt_preferences.disabled
Package: $pkg
Pin: release a=$suite
Pin-Priority: 990
chmod 644 /var/lib/debsecan/apt_preferences.disabled
mv --force /var/lib/debsecan/apt_preferences.disabled /var/lib/debsecan/apt_preferences
deb testing main non-free contrib
deb-src testing main non-free contrib
deb testing-security main contrib non-free
deb-src testing-security main contrib non-free
deb unstable main non-free contrib
deb-src unstable main non-free contrib
Package: chromium chromium-sandbox chromium-common
Pin: release a=unstable
Pin-Priority: 990
Package: firefox libnss3 libnss3:i386 libnss3-dev
Pin: release a=unstable
Pin-Priority: 990
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment