Hi, I have a user story relevant to #638024. TL;DR version:
When Default-Release is set and /var/lib/apt/lists is empty, apt-get check errors, and unattended-upgrades silently fail. Boring backstory follows. I'm making headless servers to be deployed in the homes of non-technical users. To harden them against operator error, their OS is a read-only Debian Live image. As part of my Best Current Practice I set Default-Release "stretch", to prevent accidental dist-upgrades when sources.list is in an unusual state. (For THIS server, that's unlikely, but it's BCP so I do it everywhere.) To make the image smaller, /var/lib/apt/lists is not included. (It'll have to download the full Packages files after each reboot, but these servers won't reboot regularly, so that's fine.) As part of my Best Current Practice I install and enable unattended-upgrades. This won't fix kernel vulns (since it's a read-only image), but it WILL fix userland vulns (e.g. to glibc). (It'll have to re-download all the security patches after each reboot, but these servers won't reboot regularly, so that's fine.) With this framework, unattended-upgrades doesn't work, and this shows why: root@datasafe:~# cat >/etc/apt/apt.conf.d/20derp APT::Periodic::Verbose "2"; root@datasafe:~# /usr/lib/apt/apt.systemd.daily update verbose level 2 Reading package lists... Done E: The value 'stretch' is invalid for APT::Default-Release as such a release is not available in the sources error encountered in cron job with "apt-get check". Note that APT::Default-Release is the ONLY problem here: root@datasafe:~# apt-get check Reading package lists... Done E: The value 'stretch' is invalid for APT::Default-Release as such a release is not available in the sources root@datasafe:~# apt-get check -t '' Reading package lists... Done Building dependency tree Reading state information... Done Doing the first apt update by hand fixes the immediate problem: root@datasafe:~# apt update -qq All packages are up to date. root@datasafe:~# rm /var/lib/apt/periodic/update-stamp root@datasafe:~# /usr/lib/apt/apt.systemd.daily update verbose level 2 Reading package lists... Done Building dependency tree Reading state information... Done check_stamp: missing time stamp file: /var/lib/apt/periodic/update-stamp. Hit:1 http://security.debian.org stretch/updates InRelease Ign:2 http://cdn-fastly.deb.debian.org/debian stretch InRelease Hit:3 http://cdn-fastly.deb.debian.org/debian stretch-updates InRelease Hit:4 http://cdn-fastly.deb.debian.org/debian stretch-backports InRelease Hit:5 http://cdn-fastly.deb.debian.org/debian stretch Release Reading package lists... Done download updated metadata (success). send dbus signal (success) check_stamp: interval=0 download upgradable (not run) unattended-upgrade -d (not run) Unfortunately that basically means I have to run "apt update" by hand after every reboot. I could do that in a simple @reboot cron job (or systemd.timer equivalent), but what happens if the user turns on the computer while the network cable is unplugged? In that case, the @reboot apt update will fail, and we're back to unattended-upgrades not applying. I could run apt by hand when "the" network is up, e.g. via network-wait-online.target or an interfaces(5) post-up command. But this actually runs as soon as systemd-networkd has a route to google, not when HTTP to deb.debian.org is allowed, so it can still fail in obscure edge cases (e.g. if the device is booted behind a hotel's captive portal). Is there some way to resolve this on your end? Allowing Default-Release "foo" when /var/lib/apt/lists is empty would be ideal for me, but I suspect not for you. ☺ In the meantime, AFAICT my options are: • don't set Default-Release, and accept the low-chance high-impact risk of accidental dist-upgrade. • run apt update by hand whenever "the" network is "up", and accept the low-chance high-impact risk of no security patches if the update fails. • make /var/lib/apt/lists persistent across reboots, and accept the extra cost (for the HDD or whatever), complexity, and failure modes when the storage dies or gets corrupted.