Hi, On Sat, Aug 19, 2023 at 04:53:09PM +0200, Raphael Hertzog wrote: > > The problem is that regex is NOT supported at the moment. > > Urgh, and you did not complain that the release notes actually encourage > users to do that?
Yeah, that seems less than ideal. Brings me back to thinking we should change the security codename to something that's not going to need these hacky regexes then. Since $release/security is not well liked for unclear ("dak") reasons (please someone elaborate if possible), perhaps an approach based on Ubuntu's is less controvertial. In debian-security/bookworm-security we have this right now Origin: Debian Label: Debian-Security Suite: stable-security Version: 12 Codename: bookworm-security and we need the regex becuase $codename/$suite doesn't match "bookworm", "bookworm/*" or stable, stable/* resp. Compare this to what Ubuntu uses: Origin: Ubuntu Label: Ubuntu Suite: kinetic-security Version: 22.10 Codename: kinetic Here APT::Default-Release "kinetic" would match just fine. Just seems they don't support the "stable" alias like we do. Could we use this to cover both use-cases: Origin: Debian Label: Debian-Security Suite: stable Codename: bookworm Now no weird hacks are neceessary APT::DefaultRelease "bookworm" or "stable" will match the security repos just fine. Users that _really_ want to do weird things to the security repo can still use a "label" match in apt/preferences like `Pin: release l=Debian-Security`. I think you'd be able to combine this with a codename match to be specific about which release too: `Pin: release l=Debian-Security n=bookworm` but don't quote me on that until someone tests it. I don't see any real downsides to this approach other than "ugh more change". --Daniel